On Tuesday 21 December 2010, John Goerzen wrote: > I reported bug #605484 regarding a security hole in lenny. I > believe the security team was CC'd. > > Prior to my report, > http://security-tracker.debian.org/tracker/CVE-2010-3872 said that > Debian/stable was not vulnerable. I also notified them to correct > this issue. > > My question here is: who's got the ball on security issues? It > seems that this issue didn't trigger any bugs being created or any > bugs being filed in Debian when it came out. When I did what I > thought was appropriate, it also didn't trigger much. The > maintainer was interested in it, but AFAICT there are, as yet, no > new packages. > > This is not an attack on any person/team, just a question about > whether we have an organizational problem we need to correct.
The problem is a combination of several security team members being inactive because of work/thesis/... and the other members being kept busy by things which had higher priority. For example fixing the recent exim remote root vulnerability and sorting out infrastructure breakage due to the dak upgrade on security-master. The upgrade was was necessary to support squeeze. My understanding is that the mod_fcgid issue cannot be triggered by browsers but only if there is a malicious fcgi app on the server, which is not a very common setup. Therefore this seemed like a not-so- high priority issue. I am sorry that nobody found the time to mail this to you. FWIW, it seems the infrastructure has been finally fixed today, so I hope things will improve now. But I do think that there are currently to few active members in the security team. I am pretty sure we will send out a request for new volunteers soon. Cheers, Stefan -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201012212221.36331...@sfritsch.de
