On Mon, Apr 10, 2023 at 10:40 AM Ben Beasley <c...@musicinmybrain.net> wrote:
> When I took over maintenance of the flintqs package[1]—which contains > William Hart’s quadratic sieve implementation, as modified for > sagemath—I built it for EPEL7, EPEL8, and EPEL9. My thoughts were, “Why > not? Someone might find it useful.” > > It was recently pointed out[2][3] that the flintqs command-line tool > uses temporary files in unsafe ways[4], which could potentially > represent an exploitable security vulnerability; this has been assigned > CVE-2023-29465[5]. > > There is no immediate patch available; while one could surely be > constructed, the sagemath project plans to incorporate the factorization > algorithm directly in sagemath and discontinue support of the vulnerable > command-line tool rather than fixing it[6]. > > Since sagemath is not packaged in any of the EPEL releases, and flintqs > is therefore a leaf package, I plan to handle this security report by > retiring flintqs in all three EPELs. This email is the beginning of that > process as prescribed in the EPEL Retirement Policy: Process: Security > Reasons[7]. I doubt there will be any objections, but the process > requires a one-week discussion period, so I will follow up on the > epel-announce list and do the retirements no earlier than 2023-03-17. > > [1] https://src.fedoraproject.org/rpms/flintqs > > [2] https://bugzilla.redhat.com/show_bug.cgi?id=2185301 > > [3] https://github.com/sagemath/FlintQS/issues/3 > > [4] > https://owasp.org/www-community/vulnerabilities/Insecure_Temporary_File > > [5] https://nvd.nist.gov/vuln/detail/CVE-2023-29465 > > [6] https://github.com/sagemath/sage/pull/35419 > > [7] > > https://docs.fedoraproject.org/en-US/epel/epel-policy-retirement/#process_security_reasons > Thank you for following the retirement policy. I'm assuming that's a typo and you really meant "no earlier than 2023-04-17" Troy
_______________________________________________ epel-devel mailing list -- epel-devel@lists.fedoraproject.org To unsubscribe send an email to epel-devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/epel-devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue