Re: Fedora Security Team
Stephen Gallagher wrote: > Generally, whenever Node.js issues a security release, they do so for > multiple issues simultaneously. When Product Security then goes and creates > Bugzilla tickets, they create many (sometimes up to five bugs per CVE). It > becomes nearly impossible to keep up with the bug maintenance in such > situations. The process is just too heavyweight and I often end up just > doing the upstream releases and ignoring the BZs. > > If we want this to be more accurate, we really need to have a more > streamlined and/or automated solution for these issues. Of course, the real solution would be decent code quality upstream, so that security fixes would be rare, not come in heaps. Björn Persson pgpNFhNBPaTcI.pgp Description: OpenPGP digital signatur ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: Fedora Security Team
On Wed, Nov 4, 2020 at 9:10 AM Huzaifa Sidhpurwala wrote: > > I dont think creating 5 bugs per CVE is a correct statement here. We create > one bug per product per CVE. > > So if fedora is affected with a node.js, we create one fedora tracker per > CVE. The tracker should block the CVE bug, so it should be easy to find. Also > you can search for bugs with SecurityTracking whiteboard if you cant find > otherwise. > > Let me know if you need help, in tracking your fedora security bugs :) > > - Original Message - > From: "Stephen Gallagher" > To: "Development discussions related to Fedora" > > Sent: Wednesday, November 4, 2020 8:31:32 PM > Subject: Re: Fedora Security Team > > > > On Tue, Nov 3, 2020 at 11:39 AM Marek Marczykowski-Górecki < > marma...@invisiblethingslab.com > wrote: > > > On Tue, Nov 03, 2020 at 10:02:24AM +, P J P wrote: > > * Right, Fedora package CVEs and relevant bugs are filed by Red Hat Product > > security team. > > > > * CVEs/bugs are fixed in the upstream sources first. Fedora package > > maintainers do rebuild > > of the package with released fixes. > > I see currently over 1000 such tracking bugs[1]. > I realize it some cases it may be missing upstream fix and it is not a > Fedora package maintainers responsibility to develop a fix (although > anyone can help upstream to develop a fix). But by looking at few random > items there, it seems the fix is available in a subsequent upstream > release and what is missing is just bumping the package version in > Fedora. In some (many?) cases, the newer package is even already there, > but the missing part is closing related tracking bug (and I'd guess the > update lacked info it was a security fix, but I haven't verified that). > > > I'm definitely guilty of the latter part, particularly for Node.js. > > Generally, whenever Node.js issues a security release, they do so for > multiple issues simultaneously. When Product Security then goes and creates > Bugzilla tickets, they create many (sometimes up to five bugs per CVE). It > becomes nearly impossible to keep up with the bug maintenance in such > situations. The process is just too heavyweight and I often end up just doing > the upstream releases and ignoring the BZs. > > If we want this to be more accurate, we really need to have a more > streamlined and/or automated solution for these issues. The multiple bugs I see are for RHEL as well. There is typically only 1 for Fedora. If you need a query to see open Fedora CVE bugs on kernel, I use: https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW_status=ASSIGNED_status=MODIFIED_status=ON_DEV_status=ON_QA_status=VERIFIED_status=RELEASE_PENDING_status=POST=Fedora=kernel=Security_type=anywords_id=11463462=Bug%20Number=Fedora_format=advanced Simply replace the component=kernel with your packages and keep a bookmark. I track it every morning, and it is fairly easy to stay on top of, though the kernel probably gets more CVEs than most packages, so maybe daily is overkill for some. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: Fedora Security Team
I dont think creating 5 bugs per CVE is a correct statement here. We create one bug per product per CVE. So if fedora is affected with a node.js, we create one fedora tracker per CVE. The tracker should block the CVE bug, so it should be easy to find. Also you can search for bugs with SecurityTracking whiteboard if you cant find otherwise. Let me know if you need help, in tracking your fedora security bugs :) - Original Message - From: "Stephen Gallagher" To: "Development discussions related to Fedora" Sent: Wednesday, November 4, 2020 8:31:32 PM Subject: Re: Fedora Security Team On Tue, Nov 3, 2020 at 11:39 AM Marek Marczykowski-Górecki < marma...@invisiblethingslab.com > wrote: On Tue, Nov 03, 2020 at 10:02:24AM +, P J P wrote: > * Right, Fedora package CVEs and relevant bugs are filed by Red Hat Product > security team. > > * CVEs/bugs are fixed in the upstream sources first. Fedora package > maintainers do rebuild > of the package with released fixes. I see currently over 1000 such tracking bugs[1]. I realize it some cases it may be missing upstream fix and it is not a Fedora package maintainers responsibility to develop a fix (although anyone can help upstream to develop a fix). But by looking at few random items there, it seems the fix is available in a subsequent upstream release and what is missing is just bumping the package version in Fedora. In some (many?) cases, the newer package is even already there, but the missing part is closing related tracking bug (and I'd guess the update lacked info it was a security fix, but I haven't verified that). I'm definitely guilty of the latter part, particularly for Node.js. Generally, whenever Node.js issues a security release, they do so for multiple issues simultaneously. When Product Security then goes and creates Bugzilla tickets, they create many (sometimes up to five bugs per CVE). It becomes nearly impossible to keep up with the bug maintenance in such situations. The process is just too heavyweight and I often end up just doing the upstream releases and ignoring the BZs. If we want this to be more accurate, we really need to have a more streamlined and/or automated solution for these issues. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: Fedora Security Team
On Tue, Nov 3, 2020 at 11:39 AM Marek Marczykowski-Górecki < marma...@invisiblethingslab.com> wrote: > On Tue, Nov 03, 2020 at 10:02:24AM +, P J P wrote: > > * Right, Fedora package CVEs and relevant bugs are filed by Red Hat > Product security team. > > > > * CVEs/bugs are fixed in the upstream sources first. Fedora package > maintainers do rebuild > > of the package with released fixes. > > I see currently over 1000 such tracking bugs[1]. > I realize it some cases it may be missing upstream fix and it is not a > Fedora package maintainers responsibility to develop a fix (although > anyone can help upstream to develop a fix). But by looking at few random > items there, it seems the fix is available in a subsequent upstream > release and what is missing is just bumping the package version in > Fedora. In some (many?) cases, the newer package is even already there, > but the missing part is closing related tracking bug (and I'd guess the > update lacked info it was a security fix, but I haven't verified that). > > I'm definitely guilty of the latter part, particularly for Node.js. Generally, whenever Node.js issues a security release, they do so for multiple issues simultaneously. When Product Security then goes and creates Bugzilla tickets, they create many (sometimes up to five bugs per CVE). It becomes nearly impossible to keep up with the bug maintenance in such situations. The process is just too heavyweight and I often end up just doing the upstream releases and ignoring the BZs. If we want this to be more accurate, we really need to have a more streamlined and/or automated solution for these issues. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: Fedora Security Team
On Tuesday, 03 November 2020 at 17:36, Marek Marczykowski-Górecki wrote: [...] > But by looking at few random items there, it seems the fix is > available in a subsequent upstream release and what is missing is just > bumping the package version in Fedora. "Just bumping" may not always be trivial, but often the lack of an update indicates an unresponsive maintainer. [...] > There are also many tracking bugs assigned to no longer supported > Fedora version (28 specifically) - have auto-closing bot malfunctioned > (I see a remainder message, but not the actual close)? But in some > cases the bug may still apply to a newer release. As far as I know, auto-closure of security bugs has been disabled some time ago. Regards, Dominik -- Fedora https://getfedora.org | RPM Fusion http://rpmfusion.org There should be a science of discontent. People need hard times and oppression to develop psychic muscles. -- from "Collected Sayings of Muad'Dib" by the Princess Irulan ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: Fedora Security Team
On Tue, Nov 03, 2020 at 05:47:28PM +0100, Dominique Martinet wrote: > Marek Marczykowski-Górecki wrote on Tue, Nov 03, 2020: > > Do you know if some parts of the above already exist? I know Debian has > > automatic checks for latest upstream versions, but I haven't seen it in > > Fedora. > > Fedora has "Upstream Release Monitoring" > > https://fedoraproject.org/wiki/Upstream_release_monitoring > > I sometimes see bug automatically opened to notify of new updates but > not for all packages, it looks opt-in ? > Yes. The packager must enable it for a package in src.fedoraproject.org (not sure wheterer it's on by default for new packages) and the packager must configure the checks on release-monitoring.org and map the upstream to a Fedora package. -- Petr signature.asc Description: PGP signature ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: Fedora Security Team
Marek Marczykowski-Górecki wrote on Tue, Nov 03, 2020: > Do you know if some parts of the above already exist? I know Debian has > automatic checks for latest upstream versions, but I haven't seen it in > Fedora. Fedora has "Upstream Release Monitoring" https://fedoraproject.org/wiki/Upstream_release_monitoring I sometimes see bug automatically opened to notify of new updates but not for all packages, it looks opt-in ? -- Dominique ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: Fedora Security Team
On Tue, Nov 03, 2020 at 10:02:24AM +, P J P wrote: > * Right, Fedora package CVEs and relevant bugs are filed by Red Hat Product > security team. > > * CVEs/bugs are fixed in the upstream sources first. Fedora package > maintainers do rebuild > of the package with released fixes. I see currently over 1000 such tracking bugs[1]. I realize it some cases it may be missing upstream fix and it is not a Fedora package maintainers responsibility to develop a fix (although anyone can help upstream to develop a fix). But by looking at few random items there, it seems the fix is available in a subsequent upstream release and what is missing is just bumping the package version in Fedora. In some (many?) cases, the newer package is even already there, but the missing part is closing related tracking bug (and I'd guess the update lacked info it was a security fix, but I haven't verified that). There are also many tracking bugs assigned to no longer supported Fedora version (28 specifically) - have auto-closing bot malfunctioned (I see a remainder message, but not the actual close)? But in some cases the bug may still apply to a newer release. I think some at least some of the above can be automated. CVE do contain machine-readable affected versions info. Perhaps this can be used to (scripted) close already fixed bugs? If we can get latest upstream version automatically, then another set of bugs can be marked with info like "fixed upstream release available". And similar approach applied in the future to mark package update as fixing specific CVEs. Do you know if some parts of the above already exist? I know Debian has automatic checks for latest upstream versions, but I haven't seen it in Fedora. [1] https://bugzilla.redhat.com/buglist.cgi?bug_status=__open__=Fedora=Fedora_format=advanced_desc=CVE_desc_type=allwordssubstr -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? signature.asc Description: PGP signature ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: Fedora Security Team
Hello Marek, On Tuesday, 3 November, 2020, 5:38:39 am IST, Michael Catanzaro wrote: >On Tue, Nov 3, 2020 at 12:53 am, Marek Marczykowski-Górecki > wrote: >> How are in practice security issues handled in Fedora? Is there an >> active security team to help patching those in timely manner? Or is it >> responsibility of individual package maintainers only? > >Red Hat Product Security is responsible for monitoring CVEs and >reporting bugs when they determine that a CVE affects Fedora. Fixing >the CVEs is the responsibility of individual package maintainers. Many >maintainers respond to bugs expeditiously, but also it's pretty common >for maintainers to ignore the bug reports filed by Product Security. >Sometimes this has unfortunate results. It really differs on a >component-by-component basis. * Right, Fedora package CVEs and relevant bugs are filed by Red Hat Product security team. * CVEs/bugs are fixed in the upstream sources first. Fedora package maintainers do rebuild of the package with released fixes. * Often, Fedora package maintainer is also an upstream developer/maintainer. It helps to fix issues sooner. * Fedora security team was more looking into auditing and improving Fedora distribution security via safe default configurations and policies etc. While also following up with maintainers for fixing CVE bugs sooner. Thank you. --- -P J P http://feedmug.com ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: Fedora Security Team
On Tue, Nov 3, 2020 at 12:53 am, Marek Marczykowski-Górecki wrote: How are in practice security issues handled in Fedora? Is there an active security team to help patching those in timely manner? Or is it responsibility of individual package maintainers only? Hi, Red Hat Product Security is responsible for monitoring CVEs and reporting bugs when they determine that a CVE affects Fedora. Fixing the CVEs is the responsibility of individual package maintainers. Many maintainers respond to bugs expeditiously, but also it's pretty common for maintainers to ignore the bug reports filed by Product Security. Sometimes this has unfortunate results. It really differs on a component-by-component basis. Michael ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Fedora Security Team
Hello all, How are in practice security issues handled in Fedora? Is there an active security team to help patching those in timely manner? Or is it responsibility of individual package maintainers only? I've tried to find some information on that, but the only thing I've found is this page: https://fedoraproject.org/wiki/Category:Security_Team and few linked from there. And it doesn't look to be very up to date, for example the last meeting listed there is from 2016, and also mailing lists are silent. I don't see also Fedora representative listed on linux-distros[1] mailing list (but I do see Red Hat, so perhaps there is some information sharing?). I ask because in Qubes OS we use Fedora as a default OS in VMs, and also as a base for the host (dom0) OS. While we do provide security patches for critical components ourselves, I wonder what is the current state for the base system. [1] https://oss-security.openwall.org/wiki/mailing-lists/distros#linux-distribution-security-contacts-list -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? signature.asc Description: PGP signature ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Fedora Security Team
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Some people have already heard about the new Security Team making the rounds on BZ trying to clean up vulnerabilities that still linger within our OS. Until today I've not said much as I was waiting to see how successful we'd be at trying to remedy some of these situations. Turns out I had nothing to fear. So with that I formally announce the Security Team to Fedora and open the doors to all that are interested. == What are we doing? == The Security Team's mission is to assist packagers in closing security vulnerabilities. Once alerted to a vulnerability on a package, the security team can help work with upstream to obtain a patch or a new release of a package. Once we have a patch or a new release we attach it to the vulnerability bug and work with packagers to get the fix pushed. == How bad is the problem now? == As of a few days ago we had 566 open vulnerability tickets that cover both Fedora and EPEL. The breakdown of those bugs by severity looks like this: * Critical: 3 * Important: 69 * Moderate: 366 * Low: 128 The good thing is that few of these vulnerabilities are considered bad (critical and important). There are likely bugs in there that no longer apply since the packages have been upgraded but the tickets never got closed. Also, a package that is in both Fedora and EPEL will get a ticket for each so from a pure numbers standpoint there are duplicates in those stats. == How many people have signed up for the team? == Over twenty so far. == How can I join/get involved/learn more about the project? == Go look at our wiki page[0], which is still being developed but does contain some basic information on the team. We also have a listserv[1] and an IRC channel[2] where we hang out. [0] https://fedoraproject.org/wiki/Security_Team [1] https://lists.fedoraproject.org/mailman/listinfo/security-team [2] #fedora-security-team on irc.freenode.net - -- Eric - -- Eric Sparks Christensen Fedora Project spa...@fedoraproject.org - spa...@redhat.com 097C 82C3 52DF C64A 50C2 E3A3 8076 ABDE 024B B3D1 - -- -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQGcBAEBCgAGBQJT2RNlAAoJEB/kgVGp2CYvwPUL/223Y5GAR9oO5LJl+ltdydh5 C1U4mbWJSzyfNpkWGp6Goj+cWBiQwG2kzqjX97nZwy8hFQPtGFFLZVuZd3fHSQsy MH2SjjX42zAdVGsqanvmtJrl6v9MgDjJmNTvmbTpemwOyebP0Kswhw5wPbYx4Yb6 hyvVGIjaD6rkTcBP/6Qt4lWgH9OJwYJ1O62CxrScaxaVEPSx3DuA4Gu7QWEi1+qG CLqXuDYeke6bDx9QG0y00k0PmqmUvYBlz7PUZmeJOaWjkjF58qX2eTZsT/F3pcsx k/pBmo8IJmHXPdfCWPElPfN22xfR9xPy+pr55LqZLoS84JzT0HsszwxFt6N400Qo x1SrlIGZCt1XP6OUSrtGXCcK2JcTyoQz5KmSmKBVboMg3pq4muXkkR/z6KGRbEx7 0r79hl/CIoIA7xUeB/3KrIDuySyGVPRBFmGXelj4CkEq+PxwYJVRYe0V3+v2R/jW fJUAEZyIoi2vh1EOr3qLLoTxQ9rah5O/cOLQGtUngg== =LOhU -END PGP SIGNATURE- ___ devel-announce mailing list devel-annou...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel-announce -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct