Re: [OpenIndiana-discuss] p7zip
On 12/ 9/16 09:07 AM, Jim Klimov wrote: On another hand, is there a particular benefit of patching older versions in userland as cve fixes come out, rather than taking the newest release (assumed to include all bugfixes known to authors)? It depends. When fix lands to new major release, it's worth patching. We don't want to do major updates just to fix security issues. They usually contain not only new features, but also new bugs. Or can just break API/ABI. -- Best regards, Alexander Pyhalov, system administrator of Southern Federal University IT department ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org https://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] p7zip
8 декабря 2016 г. 23:19:02 CET, Alexander Pyhalovпишет: >Tim Mooney писал 08.12.2016 22:05: >> In regard to: Re: [OpenIndiana-discuss] p7zip, Alexander Pyhalov said > >> (at...: >> >>> Jim Klimov писал 04.12.2016 20:11: 4 декабря 2016 г. 16:16:57 CET, cpforum пишет: > Hi, > > It seems that CVE-2016-9296 (2016111) affect p7zip Hipster release > (15.14.1-2016.0.0.3) >>> >>> Hi. Yes, we missed this fix. I've just committed it. >>> Unfortunately, pkg info is quite useless in determining, which >>> security fixes are applied to the package. >> >> Yeah, we talked about that issue last year around this time. This >> post from Peter is from the middle of the long thread, but it >captures >> one of the most interesting ideas: >> >> > > https://openindiana.org/pipermail/openindiana-discuss/2015-December/018370.html > >Hi. >Yes, the idea is really interesting. >But there are many small issues to be solved. > >For example, I bump package version. A month later I found out that >this >updated version fixed some vulnerability. Should I update security >metadata package? >What about CVE, which we miss? I mean, one should constantly monitor >security lists for new issues. What about old CVEs? >So, absence of CVE metadata in this new security package will likely >mean 'unknown', not 'vulnerable'. >Another, more technical issue is that we sometimes can wrongly predict >published package version. So, should we fix such wrongly added >metadata? >If we fix it, will two facts appear in the security metadata package? >So, before implementing something similar we should analyze all pros >and >cons for a while. > >Another question is if we should collect this metadata in one dedicated > >package or in package which fixed the issue? I think separate package >is >better as this allows us to mark CVEs to be fixed-in-past. > >Should it be IPS metadata at all? Perhaps, it could be just RSS >extracted from some git tags? > > >--- >System Administrator of Southern Federal University Computer Center > > >___ >openindiana-discuss mailing list >openindiana-discuss@openindiana.org >https://openindiana.org/mailman/listinfo/openindiana-discuss On another hand, is there a particular benefit of patching older versions in userland as cve fixes come out, rather than taking the newest release (assumed to include all bugfixes known to authors)? Jim -- Typos courtesy of K-9 Mail on my Samsung Android ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org https://openindiana.org/mailman/listinfo/openindiana-discuss
[OpenIndiana-discuss] Updates stopped again at the Openindiana wiki
It's now been a month since this page: https://wiki.openindiana.org/oi/Recent+Wiki+Changes has changed. Is updating broken again? -- -Gary Mills--refurb--Winnipeg, Manitoba, Canada- ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org https://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] p7zip
Tim Mooney писал 08.12.2016 22:05: In regard to: Re: [OpenIndiana-discuss] p7zip, Alexander Pyhalov said (at...: Jim Klimov писал 04.12.2016 20:11: 4 декабря 2016 г. 16:16:57 CET, cpforumпишет: Hi, It seems that CVE-2016-9296 (2016111) affect p7zip Hipster release (15.14.1-2016.0.0.3) Hi. Yes, we missed this fix. I've just committed it. Unfortunately, pkg info is quite useless in determining, which security fixes are applied to the package. Yeah, we talked about that issue last year around this time. This post from Peter is from the middle of the long thread, but it captures one of the most interesting ideas: https://openindiana.org/pipermail/openindiana-discuss/2015-December/018370.html Hi. Yes, the idea is really interesting. But there are many small issues to be solved. For example, I bump package version. A month later I found out that this updated version fixed some vulnerability. Should I update security metadata package? What about CVE, which we miss? I mean, one should constantly monitor security lists for new issues. What about old CVEs? So, absence of CVE metadata in this new security package will likely mean 'unknown', not 'vulnerable'. Another, more technical issue is that we sometimes can wrongly predict published package version. So, should we fix such wrongly added metadata? If we fix it, will two facts appear in the security metadata package? So, before implementing something similar we should analyze all pros and cons for a while. Another question is if we should collect this metadata in one dedicated package or in package which fixed the issue? I think separate package is better as this allows us to mark CVEs to be fixed-in-past. Should it be IPS metadata at all? Perhaps, it could be just RSS extracted from some git tags? --- System Administrator of Southern Federal University Computer Center ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org https://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] p7zip
In regard to: Re: [OpenIndiana-discuss] p7zip, Alexander Pyhalov said (at...: Jim Klimov писал 04.12.2016 20:11: 4 декабря 2016 г. 16:16:57 CET, cpforumпишет: Hi, It seems that CVE-2016-9296 (2016111) affect p7zip Hipster release (15.14.1-2016.0.0.3) Hi. Yes, we missed this fix. I've just committed it. Unfortunately, pkg info is quite useless in determining, which security fixes are applied to the package. Yeah, we talked about that issue last year around this time. This post from Peter is from the middle of the long thread, but it captures one of the most interesting ideas: https://openindiana.org/pipermail/openindiana-discuss/2015-December/018370.html Tim -- Tim Mooney tim.moo...@ndsu.edu Enterprise Computing & Infrastructure 701-231-1076 (Voice) Room 242-J6, Quentin Burdick Building 701-231-8541 (Fax) North Dakota State University, Fargo, ND 58105-5164 ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org https://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Problem with Hipster 2016.10 GUI on ESXi 6.5
Hi Guenther What Happens when you use a ESXi 6.0 with HTML5 GUI ? Is the Vsphere Client Really not usable anymore with 6.5? ESX Usually has Backwards compatibility. Even if not supported. It could be that the VMware Tools need an Update. Have you tried to install vmware tools on the Guest via Text Console? You say that the First installation Step worked. Was Mouse Freezing after a while or was the whole Screen Freezing? Greetings Till Am 08.12.2016 um 12:59 schrieb Guenther Alka: I wanted to install Hipster 2016.10 GUI on the new ESXi 6.5 free where the new local html-5 webconsole is the only management option. The old Windows vsphere client is no longer supported. First setup setup step was ok but I was not able to get a working mouse so installation from the GUI was not possible. No problem when using an older ESXi 6.0 with Windows Vsphere or using a text edition. Gea ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org https://openindiana.org/mailman/listinfo/openindiana-discuss ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org https://openindiana.org/mailman/listinfo/openindiana-discuss
[OpenIndiana-discuss] Problem with Hipster 2016.10 GUI on ESXi 6.5
I wanted to install Hipster 2016.10 GUI on the new ESXi 6.5 free where the new local html-5 webconsole is the only management option. The old Windows vsphere client is no longer supported. First setup setup step was ok but I was not able to get a working mouse so installation from the GUI was not possible. No problem when using an older ESXi 6.0 with Windows Vsphere or using a text edition. Gea ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org https://openindiana.org/mailman/listinfo/openindiana-discuss