It's that time of year when a bunch of CVE BZ tickets get put on the chopping
block due to EOL of a Fedora version. I've started reviewing the CVEs[0] that
fall into this category and have found 119.
We need to evaluate each of these to see if the version in F21+ is still
affected. If they can go EOL then please leave a message that says as much and
a whiteboard entry 'FST_evaluated=EOL_Okay' along with going ahead and owning
the bug 'FST_Owner=<FAS Name>'. If the CVE isn't fixed in F21+ then go ahead
and bump it up to the highest F version that is affected (probably rawhide).
This is probably a good time to also look at upstream to see in what version
they addressed the vulnerability and noting that information in the ticket.
[0] https://tinyurl.com/oagoex6
Thanks!
--Eric
Hello
Yesterday, during our weekly meeting it was proposed that we invite people to report Fedora security issues to Red Hat Product Security, instead of FST. As anyway they are the ones who end up triaging most of the issues.
-> https://meetbot.fedoraproject.org/fedora-meeting/2015-05-28/fedora_security…
Fedora has 'security(a)fedoraproject.org' and 'security-private(a)lists.fedoraproject.org' addresses, but both are dormant and unknown to wider community folks.
Your comments and inputs are welcome here.
Thank you.
---
Regards
-P J P
http://feedmug.com
======================================================================================================
#fedora-meeting: Security Team Meeting - Agenda:
https://fedoraproject.org/wiki/Security_Team_meetings
======================================================================================================
Meeting started by Sparks at 14:00:43 UTC. The full logs are available
at
http://meetbot.fedoraproject.org/fedora-meeting/2015-05-28/fedora_security_…
.
Meeting summary
---------------
* Roll Call (Sparks, 14:00:51)
* Participants are reminded to make liberal use of #info #link #help
in order to make the minutes "more better" (Sparks, 14:05:41)
* Follow up on last week's tasks (Sparks, 14:05:48)
* ACTION: jsmith to patch rubygem-activesupport as provenpackager (BZ
905374) (Sparks, 14:08:04)
* jsmith to push the fix today (Sparks, 14:08:40)
* 90-Day Challenge (Sparks, 14:10:39)
* LINK: https://ethercalc.org/90-day-challenge (Sparks, 14:10:47)
* 90-Day Challenge has a goal to close all 2014 and prior Important
CVEs in Fedora (Sparks, 14:10:52)
* As of 2015-05-28, of the 38 target bugs 14 have been closed, 1 is
On_QA, and 23 are Open (Sparks, 14:11:02)
* ACTION: Sparks to blog about the challenge at 2/3 the way through.
(Sparks, 14:12:22)
* ACTION: Sparks to remove FST owners from 90-day challenge tickets
that are stagnant (from a FST point of view) (Sparks, 14:14:24)
* Outstanding BZ Tickets (Sparks, 14:15:33)
* Thursday's numbers: Critical 1, Important 41 (+1), Moderate 376
(+6), Low 163 (+3), Total 585, Trend +10 (Sparks, 14:15:38)
* Current tickets owned: 108 (~19%) (Sparks, 14:15:42)
* Tickets closed: 318 (+3) (Sparks, 14:15:49)
* New Meeting Time (Sparks, 14:17:44)
* Looking for a potential new meeting time (Sparks, 14:17:53)
* LINK: http://whenisgood.net/98rtz7p (Sparks, 14:17:58)
* LINK: http://whenisgood.net/98rtz7p/results/eyz7qkh (Sparks,
14:18:04)
* Open floor discussion/questions/comments (Sparks, 14:24:37)
* Reporting security issues to FST (Sparks, 14:28:13)
* Nonresponsive maintainer (Sparks, 14:48:32)
* Open floor discussion/questions/comments (Sparks, 14:57:19)
* ACTION: FabioOlive will propose automated non-responsive maintainer
process on the FST list. (FabioOlive, 14:57:49)
* ACTION: Sparks to follow up with nirik regarding
security-private(a)l.fp.o. (Sparks, 14:59:22)
Meeting ended at 15:00:32 UTC.
Action Items
------------
* jsmith to patch rubygem-activesupport as provenpackager (BZ 905374)
* Sparks to blog about the challenge at 2/3 the way through.
* Sparks to remove FST owners from 90-day challenge tickets that are
stagnant (from a FST point of view)
* FabioOlive will propose automated non-responsive maintainer process on
the FST list.
* Sparks to follow up with nirik regarding security-private(a)l.fp.o.
Action Items, by person
-----------------------
* FabioOlive
* FabioOlive will propose automated non-responsive maintainer process
on the FST list.
* jsmith
* jsmith to patch rubygem-activesupport as provenpackager (BZ 905374)
* nirik
* Sparks to follow up with nirik regarding security-private(a)l.fp.o.
* Sparks
* Sparks to blog about the challenge at 2/3 the way through.
* Sparks to remove FST owners from 90-day challenge tickets that are
stagnant (from a FST point of view)
* Sparks to follow up with nirik regarding security-private(a)l.fp.o.
* **UNASSIGNED**
* (none)
People Present (lines said)
---------------------------
* Sparks (95)
* pjp (53)
* FabioOlive (17)
* d-caf (14)
* jsmith (9)
* zodbot (5)
* nirik (2)
* lnxslck (1)
Generated by `MeetBot`_ 0.1.4
.. _`MeetBot`: http://wiki.debian.org/MeetBot
I started this morning's meeting and no one showed up. I understand that the
time isn't great (did it used to be great?) and we should probably revisit it.
I also want to convey that participation in the meetings is *not* a
prerequisite to participating on the team.
Below is the agenda for today's meeting along with some discussion points I
wanted to make. Please feel free to reply and comment on things inline so we
can continue the discussion.
* #topic Follow up on last week's tasks
** jsmith to patch rubygem-activesupport as provenpackager (BZ 905374)
I believe this is still in progress. Jared, can you comment?
** pjp started non-responsive maintainer against rubygem-activesupport in
EPEL6
Whatever happened with this?
** Team Goal: All important CVEs from 2014 and before should be fixed by the
end of June.
More on that below...
* #topic 90-Day Challenge
** #link https://ethercalc.org/90-day-challenge
** #info 90-Day Challenge has a goal to close all 2014 and prior Important
CVEs in Fedora
** #info As of 2015-04-29, of the 38 target bugs 14 have been closed, 1 is
On_QA, and 23 are Open
We had a few bugs that were On_QA move over to the Closed-Errata status since
the last time I looked. We're currently up to a little over a third of our
target bugs being closed. We've got a little over a month to get the rest of
them done. Lets see if we can make a big push over the coming week.
* #topic Outstanding BZ Tickets
** #info Thursday's numbers: Critical 1, Important 40 (+2), Moderate 370
(+22), Low 160 (0), Total 571, Trend +24
** #info Current tickets owned: 107 (~19%)
** #info Tickets closed: 315 (+11)
While cases are still getting closed, the number of tickets actively being
worked (or owned, really) is being reduced. It would appear that we aren't
picking up new cases to work. I've noticed over the past few months that
participation has dropped significantly, too. I'd love to know why.
* #topic Loss of momentum
** #info The FST has been around for almost a year. Our participation is
dropping like flies.
Anyone have any ideas? A new meeting time? Rewards/swag? Something more
interesting to do?
I know this isn't the most fun job in Fedora but I'd like to think we're
making a difference. Perhaps we need to talk more about what we're doing in
public (or, more in public)?
--Eric