Procedure for handling actively exploited security bugs with patches?

Lubomir Kundrak lkundrak at redhat.com
Sat Feb 9 19:11:19 UTC 2008


Hi,

On Fri, 2008-02-08 at 21:16 -0800, Bryan O'Sullivan wrote:
> A bug in a piece of widely used PHP-based software was announced a few
> days ago, and it's now being actively exploited by spammers:
> 
> http://wordpress.org/development/2008/02/wordpress-233/
> 
> Affected machines include my server, which is running F-8.  Eep.

Pardon me -- my point of view is by using wordpress you voluntary agree
to get exploited, and no wordpress vulnerability is ever to be
considered as having priority higher than low.

> If a package maintainer doesn't turn a security fix around quickly, is
> it reasonable (albeit a bit less than totally polite) to step in and do
> the update oneself, assuming the ACLs permit it?
> 
> In this case, I found that jwb was already making the necessary edits
> just as I was checking the wordpress module out of CVS, which is cool,
> but what's the general it's-a-weekend-and-everyone's-gone-skiing practice?

During the week Fedora Security Response team actively monitors various
sources of flaws and if something that needs immediate action arises, we
take that action promptly. If the maintainer is unavailable, fix exists
and ACLs permit, we do the fixing. If ACLs don't exist, there still are
admins with super powers, so they can commit.

During weekends we can not gaurantee that we will fix whatever arises in
a day, due to our hours off and possibly releng having a weekend too.
I'd say we can be confident that security features of properly Fedora
such as FORTIFY_SOURCE, ExecShield and SELinux together with responsible
configuration (firewall, etc.) lowers possibility of exposure to
something really serious to minimum.

Please note that responsible configuration in most cases implies no
WordPress. Don't get me wrong please -- look at its security track.

PS: Note we may be on during weekends too anyways -- as I am now.
Remember we fixed a security issue on Christmas Eve.

Thanks,
-- 
Lubomir Kundrak (Red Hat Security Response Team)




More information about the fedora-devel-list mailing list