Re: Bind update (CVE-2016-2776)?

[Jaroslav Reznik]

On Thu, Sep 29, 2016 at 10:36 AM, Igor Gnatenko  wrote:
> On Thu, Sep 29, 2016 at 10:08 AM, Tomas Hozza  wrote:
>> On 09/29/2016 06:19 AM, Bojan Smojver wrote:
>>> Could someone with sufficient access please spin up an update of bind
>>> for F-24 and other flavours of Fedora. That CVE looks like a pretty
>>> serious DoS. This has already been fixed in RHEL.
>>>
>>> Thanks,
>>>
>>
>> Hi.
>>
>> I'll be pushing the updates shortly. The problem with Fedora is that we can 
>> not prepare the update in advance as for RHEL, because everything (git 
>> repos, update system, etc.) is public.
> You mean before CVE has been published? Or what's the problem with being 
> public?

In some cases, the security bugs are embargoed (so everyone has enough
time to get ready for the fix) but it doesn't go very well with how
our infrastructure works. Everything is public, so you can't commit,
you can't build and test ahead of time to get it released when embargo
is lifted. And it can take time. Some time ago OpenJDK guys contacted
me as they were hit by it and I created Board ticket for hidden
private builds. Board was ok with it (although it was difficult to
explain embargo concept ;-) [1] but with the amount of changes needed
in the infrastructure...

[1] 
http://fedoraproject.org/wiki/Meeting:Board_meeting_2012-10-03#.23144:_Hidden_Private_Builds

R.

>>
>> Regards,
>> Tomas
>> --
>> Tomas Hozza
>> Associate Manager, Software Engineering - EMEA ENG Mainstream RHEL
>>
>> PGP: 1D9F3C2D
>> UTC+2 (CEST)
>> Red Hat Inc. http://cz.redhat.com
>> ___
>> devel mailing list -- devel@lists.fedoraproject.org
>> To unsubscribe send an email to devel-le...@lists.fedoraproject.org
>
>
>
> --
> -Igor Gnatenko
> ___
> devel mailing list -- devel@lists.fedoraproject.org
> To unsubscribe send an email to devel-le...@lists.fedoraproject.org



-- 
Jaroslav Řezník 
Engineering Program Manager

Office: +420 532 294 645
Mobile: +420 602 797 774
PIN: REZZABBM
Red Hat, Inc.   http://www.redhat.com/
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Bind update (CVE-2016-2776)?

[Bojan Smojver]

On 29 September 2016 6:08:13 PM AEST, Tomas Hozza  wrote:

>I'll be pushing the updates shortly. 

Cool, thanks.

--
Bojan
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Bind update (CVE-2016-2776)?

[Tomas Hozza]

On 09/29/2016 10:36 AM, Igor Gnatenko wrote:
> On Thu, Sep 29, 2016 at 10:08 AM, Tomas Hozza  wrote:
> > On 09/29/2016 06:19 AM, Bojan Smojver wrote:
> >> Could someone with sufficient access please spin up an update of bind
> >> for F-24 and other flavours of Fedora. That CVE looks like a pretty
> >> serious DoS. This has already been fixed in RHEL.
> >>
> >> Thanks,
> >>
> >
> > Hi.
> >
> > I'll be pushing the updates shortly. The problem with Fedora is that we can 
> > not prepare the update in advance as for RHEL, because everything (git 
> > repos, update system, etc.) is public.
> You mean before CVE has been published? Or what's the problem with being 
> public?

Yes, that's what I meant.

Tomas

> >
> > Regards,
> > Tomas
> > --
> > Tomas Hozza
> > Associate Manager, Software Engineering - EMEA ENG Mainstream RHEL
> >
> > PGP: 1D9F3C2D
> > UTC+2 (CEST)
> > Red Hat Inc. http://cz.redhat.com
> > ___
> > devel mailing list -- devel@lists.fedoraproject.org
> > To unsubscribe send an email to devel-le...@lists.fedoraproject.org
>
>
>



-- 
Tomas Hozza
Associate Manager, Software Engineering - EMEA ENG Mainstream RHEL

PGP: 1D9F3C2D
UTC+2 (CEST)
Red Hat Inc. http://cz.redhat.com
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Bind update (CVE-2016-2776)?

[Igor Gnatenko]

On Thu, Sep 29, 2016 at 10:08 AM, Tomas Hozza  wrote:
> On 09/29/2016 06:19 AM, Bojan Smojver wrote:
>> Could someone with sufficient access please spin up an update of bind
>> for F-24 and other flavours of Fedora. That CVE looks like a pretty
>> serious DoS. This has already been fixed in RHEL.
>>
>> Thanks,
>>
>
> Hi.
>
> I'll be pushing the updates shortly. The problem with Fedora is that we can 
> not prepare the update in advance as for RHEL, because everything (git repos, 
> update system, etc.) is public.
You mean before CVE has been published? Or what's the problem with being public?
>
> Regards,
> Tomas
> --
> Tomas Hozza
> Associate Manager, Software Engineering - EMEA ENG Mainstream RHEL
>
> PGP: 1D9F3C2D
> UTC+2 (CEST)
> Red Hat Inc. http://cz.redhat.com
> ___
> devel mailing list -- devel@lists.fedoraproject.org
> To unsubscribe send an email to devel-le...@lists.fedoraproject.org



-- 
-Igor Gnatenko
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Bind update (CVE-2016-2776)?

[Tomas Hozza]

On 09/29/2016 06:19 AM, Bojan Smojver wrote:
> Could someone with sufficient access please spin up an update of bind
> for F-24 and other flavours of Fedora. That CVE looks like a pretty
> serious DoS. This has already been fixed in RHEL.
>
> Thanks,
>

Hi.

I'll be pushing the updates shortly. The problem with Fedora is that we can not 
prepare the update in advance as for RHEL, because everything (git repos, 
update system, etc.) is public.

Regards,
Tomas
-- 
Tomas Hozza
Associate Manager, Software Engineering - EMEA ENG Mainstream RHEL

PGP: 1D9F3C2D
UTC+2 (CEST)
Red Hat Inc. http://cz.redhat.com
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Bind update (CVE-2016-2776)?

[Bojan Smojver]

Could someone with sufficient access please spin up an update of bind
for F-24 and other flavours of Fedora. That CVE looks like a pretty
serious DoS. This has already been fixed in RHEL.

Thanks,
-- 
Bojan
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org