On Thu, 14 Feb 2008 08:25:19 -0700 Jake Edge <jake@xxxxxxx> wrote: > - those were all related to the same gecko vulnerabilites, which is > what (I presume) motivated reusing the same IDs, but at least one > (perhaps two, I can't remember for sure) of those, ruby-gnome2 also > fixed a separate CVE that was unrelated to the mozilla pile > > - How is it that so many packages were affected by these mozilla > vulns? Are they statically linked? Reusing the code? Have very > restrictive dynamic library version numbers? It just seems that a > vulnerability in a component shouldn't necessarily have this kind of > cascading effect. Here is what happens. There are a /ton/ of packages in Fedora that build against gecko libs, or otherwise link to them. In Fedora 8, the gecko lib location would change every time gecko is rebuilt. So in order for these packages to continue working, they have to be rebuilt for the new location. So when a gecko security issue happens, a big pile of packages have to be rebuilt so that they'll work with the new gecko. In order to ensure that they all get pushed at the same time, all the builds are attached to a single update request in our update tool, bodhi. See https://admin.fedoraproject.org/updates/F8/FEDORA-2008-1535 As for ruby-gnome2's other CVE fix, that was released earlier in a different update, https://admin.fedoraproject.org/updates/F8/FEDORA-2007-4216 > > - Overall, we have been noticing a decline in the quality of Fedora > security alerts. They are often missing basic information about what > bug they are fixing (other than perhaps a reference to bugzilla, > sometimes a link to the CVE). I think if you read a lot of those > alerts as if you were just a plain old user, you would find that some > provide very little useful information to try and determine what > problem is being fixed. I can provide examples if necessary. Is > there something that can be done to standardize the format a bit? Recently the Fedora project granted the Security team the task of reviewing all updates that are to go out tagged as security. It's the Security's responsibility to ensure that the messaging is correct. This is a fairly recent change so it may take a little bit to start to notice an overall trend back into the consistent messaging. Prior to this, all Fedora maintainers were able to generate whatever message they wanted to for security updates. -- Jesse Keating Fedora -- All my bits are free, are yours?
Attachment:
signature.asc
Description: PGP signature
-- Fedora-security-list mailing list Fedora-security-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-security-list
