Re: time is running: security issue BZ#2241470
On Thu, 2023-10-05 at 19:01 +0200, Tomasz Torcz wrote: > On Thu, Oct 05, 2023 at 11:23:35AM -0400, Stephen Smoogen wrote: > > On Sat, 30 Sept 2023 at 05:13, Marius Schwarz > > wrote: > > > > > > > > Hi, > > > > > > this is emerg ping for the security team, to take a look at this bz : > > > > > > https://bugzilla.redhat.com/show_bug.cgi?id=2241470 > > > > > > The deadline for having a fix shipped is the afternoon of SUN, 1. of Oct > > > 2023 . On this date, the patches in upstream go public and exploits > > > will be developed for them. this impacts ALL of redhat based > > > installations which run as servers and are publically reachable. The > > > component in question is the default package for rh based installations. > > > > > So does anyone know which of this weeks major security problems this was > > about? Since it is supposedly past the release date, I figure it is ok to > > ask. If it isn't due to some other delay.. my apologies. > > My guess is on glibc's suid local root: https://lwn.net/Articles/946381/ That doesn't seem to really fit, though. You need to be able to at least set environment variables and execute processes to exploit that, right? That hardly covers "all publically reachable servers". I guess it's the closest candidate, but meh. In any case, the updates for that all went stable yesterday. -- Adam Williamson (he/him/his) Fedora QA Fedora Chat: @adamwill:fedora.im | Mastodon: @ad...@fosstodon.org https://www.happyassassin.net ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: time is running: security issue BZ#2241470
On Thu, Oct 05, 2023 at 11:23:35AM -0400, Stephen Smoogen wrote: > On Sat, 30 Sept 2023 at 05:13, Marius Schwarz > wrote: > > > > > Hi, > > > > this is emerg ping for the security team, to take a look at this bz : > > > > https://bugzilla.redhat.com/show_bug.cgi?id=2241470 > > > > The deadline for having a fix shipped is the afternoon of SUN, 1. of Oct > > 2023 . On this date, the patches in upstream go public and exploits > > will be developed for them. this impacts ALL of redhat based > > installations which run as servers and are publically reachable. The > > component in question is the default package for rh based installations. > > > So does anyone know which of this weeks major security problems this was > about? Since it is supposedly past the release date, I figure it is ok to > ask. If it isn't due to some other delay.. my apologies. My guess is on glibc's suid local root: https://lwn.net/Articles/946381/ -- Tomasz TorczOnce you've read the dictionary, @ttorcz:pipebreaker.pl every other book is just a remix. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: time is running: security issue BZ#2241470
On Sat, 30 Sept 2023 at 05:13, Marius Schwarz wrote: > > Hi, > > this is emerg ping for the security team, to take a look at this bz : > > https://bugzilla.redhat.com/show_bug.cgi?id=2241470 > > excuse me, for bringing this to the list, as a security bz is the way to > go, but time is running fast and the patched release needs to be build > and shipped in 36h hours from now. > > The deadline for having a fix shipped is the afternoon of SUN, 1. of Oct > 2023 . On this date, the patches in upstream go public and exploits > will be developed for them. this impacts ALL of redhat based > installations which run as servers and are publically reachable. The > component in question is the default package for rh based installations. > > best regards, > Marius Schwarz > > So does anyone know which of this weeks major security problems this was about? Since it is supposedly past the release date, I figure it is ok to ask. If it isn't due to some other delay.. my apologies. -- Stephen Smoogen, Red Hat Automotive Let us be kind to one another, for most of us are fighting a hard battle. -- Ian MacClaren ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: time is running: security issue BZ#2241470
Hi Marius,, I'd also point out that if you want to inform the security team about something, you should inform directly – and it seems you've done that, by properly labeling that issue (which I can't read at all) as sensitive. As the others pointed out, there's nothing that can be done publicly before the embargo is lifted, which should coincide exactly with your deadline; anything else would amount to publishing a bugfix that you've now publicly announced is a fix for a critical security vulnerability! If, for some reason, the issue you can read and we can't is marked confidential, but you see the security team has not taken appropriate attention to it, or don't understand the process they're going through, they do have an email address: secalert at [roterhut auf Englisch] dot com. Note that it's quite usual that reporters and security teams come to different assessments regarding appropriate measures, which is mostly due to different scopes of what they need to care about. As you've done here, being nice gets you far :) Best, Marcus On 30.09.23 23:58, Justin Forbes wrote: On Sat, Sep 30, 2023 at 10:55 AM Kevin Fenzi wrote: On Sat, Sep 30, 2023 at 11:13:32AM +0200, Marius Schwarz wrote: Hi, this is emerg ping for the security team, to take a look at this bz : https://bugzilla.redhat.com/show_bug.cgi?id=2241470 If this is an embargoed bug (I can't see it, so no idea if it is, but it seems likely), please don't discuss it on a public mailing list. Fedora has no means to secretly build anything, so it may be that the maintainers of whatever this is are waiting for the embargo to lift to push fedora updates. Agreed. I also don't have access to the bug, but no matter the issue, even if I have the patch months before the lift of embargo, and do test builds locally, I can not commit a fix to Fedora dist-git and start a build until an embargo is lifted. We still typically get such issues fixed and out to users within a few hours if critical. That is part of the open nature of Fedora, we literally do not have a back channel. That said, calling something out which is embargoed is absolutely irresponsible and is not the way to ensure that people continue to get read in on such issues. If the bug exists, the security team is likely well aware, and we do have processes in place. A public mailing list is no place to discuss any non public bugs. Justin If you have access to the bug, thats the place to comment further. kevin ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: time is running: security issue BZ#2241470
As far as the "Fedora Security Team" we dont know anything that's not public either. RH's security team has access to the embargoed stuff and I assume that they handle it privately with the package maintainer and prep the patch themselves. I say assume because I have zero visibility into what they do or how they handle things. The Fedora Security team... for what it is... is mostly an end user facing team at this point. IDK how it operated in the past, it was dead when I started to reboot it last year. We deal with public security issues and are a contract point for the community around security matters. We have no visibility into any embargoed matters until it's made public. That's the nature of a fully open project -- no secrets. JT On Sat, Sep 30, 2023 at 5:59 PM Justin Forbes wrote: > On Sat, Sep 30, 2023 at 10:55 AM Kevin Fenzi wrote: > > > > On Sat, Sep 30, 2023 at 11:13:32AM +0200, Marius Schwarz wrote: > > > > > > Hi, > > > > > > this is emerg ping for the security team, to take a look at this bz : > > > > > > https://bugzilla.redhat.com/show_bug.cgi?id=2241470 > > > > If this is an embargoed bug (I can't see it, so no idea if it is, but it > > seems likely), please don't discuss it on a public mailing list. > > > > Fedora has no means to secretly build anything, so it may be that the > > maintainers of whatever this is are waiting for the embargo to lift to > > push fedora updates. > > Agreed. I also don't have access to the bug, but no matter the issue, > even if I have the patch months before the lift of embargo, and do > test builds locally, I can not commit a fix to Fedora dist-git and > start a build until an embargo is lifted. We still typically get such > issues fixed and out to users within a few hours if critical. That is > part of the open nature of Fedora, we literally do not have a back > channel. That said, calling something out which is embargoed is > absolutely irresponsible and is not the way to ensure that people > continue to get read in on such issues. If the bug exists, the > security team is likely well aware, and we do have processes in place. > A public mailing list is no place to discuss any non public bugs. > > Justin > > > If you have access to the bug, thats the place to comment further. > > > > kevin > > ___ > > devel mailing list -- devel@lists.fedoraproject.org > > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > ___ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: time is running: security issue BZ#2241470
On Sat, Sep 30, 2023 at 10:55 AM Kevin Fenzi wrote: > > On Sat, Sep 30, 2023 at 11:13:32AM +0200, Marius Schwarz wrote: > > > > Hi, > > > > this is emerg ping for the security team, to take a look at this bz : > > > > https://bugzilla.redhat.com/show_bug.cgi?id=2241470 > > If this is an embargoed bug (I can't see it, so no idea if it is, but it > seems likely), please don't discuss it on a public mailing list. > > Fedora has no means to secretly build anything, so it may be that the > maintainers of whatever this is are waiting for the embargo to lift to > push fedora updates. Agreed. I also don't have access to the bug, but no matter the issue, even if I have the patch months before the lift of embargo, and do test builds locally, I can not commit a fix to Fedora dist-git and start a build until an embargo is lifted. We still typically get such issues fixed and out to users within a few hours if critical. That is part of the open nature of Fedora, we literally do not have a back channel. That said, calling something out which is embargoed is absolutely irresponsible and is not the way to ensure that people continue to get read in on such issues. If the bug exists, the security team is likely well aware, and we do have processes in place. A public mailing list is no place to discuss any non public bugs. Justin > If you have access to the bug, thats the place to comment further. > > kevin > ___ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: time is running: security issue BZ#2241470
On Sat, Sep 30, 2023 at 11:13:32AM +0200, Marius Schwarz wrote: > > Hi, > > this is emerg ping for the security team, to take a look at this bz : > > https://bugzilla.redhat.com/show_bug.cgi?id=2241470 If this is an embargoed bug (I can't see it, so no idea if it is, but it seems likely), please don't discuss it on a public mailing list. Fedora has no means to secretly build anything, so it may be that the maintainers of whatever this is are waiting for the embargo to lift to push fedora updates. If you have access to the bug, thats the place to comment further. kevin signature.asc Description: PGP signature ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
time is running: security issue BZ#2241470
Hi, this is emerg ping for the security team, to take a look at this bz : https://bugzilla.redhat.com/show_bug.cgi?id=2241470 excuse me, for bringing this to the list, as a security bz is the way to go, but time is running fast and the patched release needs to be build and shipped in 36h hours from now. The deadline for having a fix shipped is the afternoon of SUN, 1. of Oct 2023 . On this date, the patches in upstream go public and exploits will be developed for them. this impacts ALL of redhat based installations which run as servers and are publically reachable. The component in question is the default package for rh based installations. best regards, Marius Schwarz ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue