Intent to retire flintqs in EPEL7, EPEL8, and EPEL9 for security reasons

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

When I took over maintenance of the flintqs package[1]—which contains William Hart’s quadratic sieve implementation, as modified for sagemath—I built it for EPEL7, EPEL8, and EPEL9. My thoughts were, “Why not? Someone might find it useful.”
It was recently pointed out[2][3] that the flintqs command-line tool uses temporary files in unsafe ways[4], which could potentially represent an exploitable security vulnerability; this has been assigned CVE-2023-29465[5].
There is no immediate patch available; while one could surely be constructed, the sagemath project plans to incorporate the factorization algorithm directly in sagemath and discontinue support of the vulnerable command-line tool rather than fixing it[6].
Since sagemath is not packaged in any of the EPEL releases, and flintqs is therefore a leaf package, I plan to handle this security report by retiring flintqs in all three EPELs. This email is the beginning of that process as prescribed in the EPEL Retirement Policy: Process: Security Reasons[7]. I doubt there will be any objections, but the process requires a one-week discussion period, so I will follow up on the epel-announce list and do the retirements no earlier than 2023-03-17. 

[1] https://src.fedoraproject.org/rpms/flintqs

[2] https://bugzilla.redhat.com/show_bug.cgi?id=2185301

[3] https://github.com/sagemath/FlintQS/issues/3

[4] https://owasp.org/www-community/vulnerabilities/Insecure_Temporary_File

[5] https://nvd.nist.gov/vuln/detail/CVE-2023-29465

[6] https://github.com/sagemath/sage/pull/35419
[7] https://docs.fedoraproject.org/en-US/epel/epel-policy-retirement/#process_security_reasons 
_______________________________________________
epel-devel mailing list -- epel-devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to epel-devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/epel-devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Index of Archives]     [Fedora Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Announce]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Linux Apps]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux