[gentoo-dev] Last rites for net-im/kpopper
Hi all, kpopper was masked for half a year now because of insecure temporary file creation (see bug #94475 for details), now it's time to completely remove it from portage. If you have rejections, please speak up in a timely fashion or silently wave goodbye to the package. Thanks and have a nice day, DerCorny -- gentoo-dev@gentoo.org mailing list
[gentoo-dev] app-arch/zoo: volunteer for simple security patch wanted
Hi devs, app-arch/zoo is prone to a buffer overflow that needs to be patched but the package has no maintainer, see http://bugs.gentoo.org/123782 for details. Since I don't have commit rights, I would appreciate help to get this sorted out, the patch is really simple and should apply cleanly, the whole thing should be done in a matter of minutes. Thanks in advance, DerCorny -- gentoo-dev@gentoo.org mailing list
[gentoo-dev] Security team meeting summary
This is the summary of the IRC meeting the Gentoo Linux Security Team had on Monday, March 20, 20:00 UTC in #gentoo-security (freenode). A raw IRC log of the meeting can be found here: http://dev.gentoo.org/~dercorny/security/sec-meeting-20060320.log Agenda was: --- 1/ Project status a) GLSA team status b) Kernel team status c) Audit team status 2/ Improvements areas a) Maintainers involvement b) Recruitment c) Portage integration d) Other process or policy improvements 3/ Lead(s) election 4/ Public Q&A 1/ Project status: -- a) GLSA team status The number of late GLSAs (means not delivered within the timeframe given by the policy) drastically increased by almost 50% [1]. Two main causes have been identified: - The GLSA team is operating close or below to the critical mass of GLSA coordinators, which causes delays in certain areas like GLSA voting, drafting and reviewing. - Package maintainer security awareness is bad: sometimes maintainers don't care about security, don't fix bugs in time, don't respond or are completely missing. This causes huge delays in the GLSA processing. Possible methods to resolve these issues are discussed in "Improvements areas". [1] http://dev.gentoo.org/~koon/arch_ratings.png b) Kernel team status Just as the GLSA team, the kernel team lacks the sufficient amount of manpower needed to operate as wished. As a result, the KISS project (a system designed to release kernel security advisories), originally thought to go live by 2005, still isn't ready for production use since the manpower to keep it fully updated is lacking. Although KISS is closely tied to the kernel work, a scout and a coordinator, who help finding and handling kernel bugs, are needed to fully implement it. Besides that, a draft of the kernel security policy [2] has been presented, which is expected to reduce the workload for the kernel team while improving the general enduser kernel security awareness. [2] http://dev.gentoo.org/~johnm/files/kernel-security-policy.txt c) Audit team status The overall status of the audit team isn't too bad. Altough the majority of the audit team is quite busy with non-gentoo stuff or inactive, a nice list of high profile security vulnerabilities was discovered. New developers and better coordination within the team could help to improve the speed of the audit project, so that bugs get dealt with faster. 2/ Improvement areas: - a) Maintainers involvement Increasing the security awareness of maintainers is vital to the success of the Gentoo Linux Security Team. Unfortunately, missing or inactive maintainers are a general Gentoo problem. The security team can't deal with that alone because it has no means to punish bad maintainers, thus this has to be brought to the Gentoo council. A powerful QA team could improve the situation by cleaning out unmaintained packages or taking over if a maintainer doesn't reply in timely manner, but this will require changes in the QA policy which are still being discussed. b) Recruitment As mentioned in the status reports above, every team badly needs more developers. Since a lot of recruits drop out during recruitement or vanish after becoming a new developer, it was decided to rethink the recruitement process. The Security Team will now start to actively look for new members, for example by writing an article within the GWN. Also recruits should get more attention of senior developers, so that they feel involved and learn faster. The progress of the recruits should be followed closely, so that they can be upgraded appropriate to their skills, additionally more documentation will be written, for example about GLSAmaker. c) Portage integration A goal of the security project is to integrate glsa-check and other useful security related tools into portage. glsa-check had a lot of improvements recently but unfortunately the portage code is considered as not yet ready for a glsa-check integration. Until this changes, portage 2.1 is expected to bring up some new and interesting features in a security point of view, like security.mask or running glsa-check in a post_sync. d) Other process or policy improvements Nothing special to mention here. 3/ Lead(s) election: - Koon (Thierry Carrez) stepped back from operational lead - Plasmaroo (Tim Yamin) is old and new kernel subproject leader - Taviso (Tavis Ormandy) is old and new auditing subprojet leader - Jaervosz (Sune Kloppenborg Jeppesen) is old and new operational lead - DerCorny (Stefan Cornelius) is new operational lead 4/ Public Q&A: -- Nothing special to mention here, too. The Gentoo Linux Security team is always open to new ideas or questions. Write an email to [EMAIL PROTECTED] or visit us on IRC, #gentoo-security in the freenode network. EOF -- gentoo-dev@gentoo.org mailing list
Re: [gentoo-dev] Renewed security risk uhm Dev
Hi all, I would like to thank everybody who congratulated via IRC or here on the list. I'd also like to take this opportunity to especially thank Pylon (my mentor) and Kugelfang (my recruiter), who didn't hesitate to invest their valuable time in order to help me. Thank you! Cheers, Stefan 'DerCorny' Cornelius -- gentoo-dev@gentoo.org mailing list
[gentoo-dev] net-misc/vnc: Needs a new maintainer, at least a revbump (Security bug)
Hi Folks, net-misc/vnc is vulnerable to an information leak that might lead to password disclosure (bug #133219). Unfortunately, the original maintainer aliz is at least semi-retired, thus we're looking for a new maintainer. So, if you've some love left for a lonely, homeless package like vnc, then please step up and have a look at http://bugs.gentoo.org/show_bug.cgi?id=133219 Thanks in advance and kind regards, DerCorny -- gentoo-dev@gentoo.org mailing list
Re: [gentoo-dev] net-misc/vnc: Needs a new maintainer, at least a revbump (Security bug)
Ikelos pointed out (thanks!), that only vnc 4.1.X is affected. Since we don't ship such a version, the security bug is invalid, but the maintainer problem remains. Sorry for any inconvenience, DerCorny -- gentoo-dev@gentoo.org mailing list
[gentoo-dev] net-www/awstats: security issues, revbump (and probably maintainer) needed
Hi Gang, net-www/awstats is masked because it has open security issues (including remote code execution), see bug #130487 for details. Version 6.6 was made to fix it, but unfortunately this version is not working at all (see bug #134296), so we are trapped between unusable and vulnerable versions. Jakub made a patch for version 6.5 to fix this vulnerabilities, but that very patch still needs to be incorporated into an ebuild and commited as revbump. So, if anyone volunteers to step up and revbump 6.5 with patch (or fix 6.6 so that it's usable), please don't hesitate. It would be also cool to have a new maintainer for this one, since ka0ttic seems to be missing. Thanks in advance, Stefan 'DerCorny' Cornelius -- gentoo-dev@gentoo.org mailing list
Re: [gentoo-dev] net-www/awstats: security issues, revbump (and probably maintainer) needed
CHTEKK does this one, thanks. > Hi Gang, > > net-www/awstats is masked because it has open security issues (including > remote code execution), see bug #130487 for details. Version 6.6 was > made to fix it, but unfortunately this version is not working at all > (see bug #134296), so we are trapped between unusable and vulnerable > versions. > > Jakub made a patch for version 6.5 to fix this vulnerabilities, but that > very patch still needs to be incorporated into an ebuild and commited as > revbump. > > So, if anyone volunteers to step up and revbump 6.5 with patch (or fix > 6.6 so that it's usable), please don't hesitate. It would be also cool > to have a new maintainer for this one, since ka0ttic seems to be > missing. > > > Thanks in advance, > > Stefan 'DerCorny' Cornelius > -- gentoo-dev@gentoo.org mailing list
[gentoo-dev] Last rites/mask notification: dev-libs/libvc, app-misc/rolo and mail-client/mutt-vc-query
Hi Gentoo, dev-libs/libvc, app-misc/rolo and mail-client/mutt-vc-query were masked because of the open security bug #127757. It also seems like there was no upstream release for like 3 years, so this packages are pretty much dead. If nobody speaks up or volunteers as maintainer for that cruft, then this will stay masked until complete removal $SOON. Thanks to mr_bones_ for masking the deps I forgot and halcy0n for the headsup in the bug. Kind regards, DerCorny -- gentoo-dev@gentoo.org mailing list
Re: [gentoo-dev] QA subproject, TreeCleaners
+1 from me, too. I also want to offer my help to this project, so ping me if needed. Kind regards, DerCorny -- gentoo-dev@gentoo.org mailing list
[gentoo-dev] app-text/pstotext in danger of becoming security masked
app-text/pstotext has a serious remote vulnerability that allows to execute arbitrary commands on a vulnerable system. It appears to be unmaintained at the moment. If anyone out there is able to take this on and patch it (honestly, patch is small), that would be much appreciated, the bug number is 100245. Otherwise, it's our intent to security mask the package in the next 24 hours. Thanks in advance, Stefan -- gentoo-dev@gentoo.org mailing list
