Fedora Security Response Team

Wed May 10 15:04:51 UTC 2006

On Wednesday 10 May 2006 09:00, Josh Bressers wrote:
> > So is there a problem with creating and/or adding fc{3,2,1} rhl{7,9}
> > files here as well to track CVE issues with you all for Fedora Legacy
> > issues?
> >
> > If it's not a problem, I am wondering if any of you have any thoughts or
> > suggestions on how to go about generating such lists?
>
> If you have the information captured in bugzilla you may be able to extract
> it from there.  The descriptions MITRE provides for issues is prose, so
> there isn't really a nice way to get what you need from there.
a simple perl script  should be able to extract the info from the bugzilla 
database and insert it into a text file.  I did something kinda similar  but 
in reverse  i extracted  the component info from Fedora's  describe 
components  page  and inserted into Aurora's  bugzilla database.   it saved 
much typing.
> I have no complaints about tracking the Fedora Legacy distributions in CVS.
> I think keeping things close together is wise.  If we are tracking this
> many distributions though, perhaps one file for each is not the right way
> to go.  Perhaps some thought and discussion is warranted.
I think we should track  Legacy here.  It serves  the ultimate goal  of having 
one central location for Fedora Security.   I see 3 ways  to track the info

1)  as we are  one file per release  perhaps  merging extras and core into one 
file. (not now  but later)
2) use one file per CVE.  has alot of files  but you could have  in it each 
effected release
3) Time based rotation of files. List in a similar manner to currently done   
but add the releases effected to the end   and rotate  files  each 
month/quarter/half year/full year

> >
> > Um ... since we've never started a list for Fedora Legacy for all the
> > CVE's that ever existed (or at least since the Fedora Legacy project has
> > existed), is the creation and maintenance of these going to be torturous
> > and cumbersome?
>
> The creation is painful as there are literally tens of thousands of CVE ids
> per year.  Once you're caught up things aren't as bad since the ids are
> just a constant trickle of information.
Back tracking will be extremly painful.   and the further forward we move the 
less neccesary it will become.  for instance  once Legacy drops FC1 supprot  
there wont be much concern if older security ises were resolved or not.

> > Putting together a fairly complete list of all the CVE's and all the
> > packages that are vulnerable or fixed by all of these CVE's ... ugh, it
> > indeed sounds like a horrible task!  Are there any plans or thoughts to
> > have something like "security days" whereby a bunch of us folks can get
> > together and do the work while yakking it up on an IRC channel, making
> > the process at least potentially a *little* more fun, and making it
> > possible for us to get to know one another better?
>
> This isn't a half bad idea (what do others think?).  At the very least
> perhaps an IRC channel is in order.  I see #fedora-security already exists
> on Freenode, no doubt just for this purpose :)
I started #fedora-security  back when the SIG  was first proposed  Just for 
this type of thing.   the security days   sounds like a great idea.  
-- 
Regards

Dennis Gilmore,  RHCE
Proud Australian