Tim Mooney писал 08.12.2016 22:05:
In regard to: Re: [OpenIndiana-discuss] p7zip, Alexander Pyhalov said
(at...:
Jim Klimov писал 04.12.2016 20:11:
4 декабря 2016 г. 16:16:57 CET, cpforum <[email protected]> пишет:
Hi,
It seems that CVE-2016-9296 (2016111) affect p7zip Hipster release
(15.14.1-2016.0.0.3)
Hi. Yes, we missed this fix. I've just committed it.
Unfortunately, pkg info is quite useless in determining, which
security fixes are applied to the package.
Yeah, we talked about that issue last year around this time. This
post from Peter is from the middle of the long thread, but it captures
one of the most interesting ideas:
https://openindiana.org/pipermail/openindiana-discuss/2015-December/018370.html
Hi.
Yes, the idea is really interesting.
But there are many small issues to be solved.
For example, I bump package version. A month later I found out that this
updated version fixed some vulnerability. Should I update security
metadata package?
What about CVE, which we miss? I mean, one should constantly monitor
security lists for new issues. What about old CVEs?
So, absence of CVE metadata in this new security package will likely
mean 'unknown', not 'vulnerable'.
Another, more technical issue is that we sometimes can wrongly predict
published package version. So, should we fix such wrongly added
metadata?
If we fix it, will two facts appear in the security metadata package?
So, before implementing something similar we should analyze all pros and
cons for a while.
Another question is if we should collect this metadata in one dedicated
package or in package which fixed the issue? I think separate package is
better as this allows us to mark CVEs to be fixed-in-past.
Should it be IPS metadata at all? Perhaps, it could be just RSS
extracted from some git tags?
---
System Administrator of Southern Federal University Computer Center
_______________________________________________
openindiana-discuss mailing list
[email protected]
https://openindiana.org/mailman/listinfo/openindiana-discuss
