Hi Jake, On Thu, 2008-02-14 at 08:25 -0700, Jake Edge wrote: > (Josh Bressers suggested I send my questions here rather than asking him > or someone else directly) > > Yesterday you folks released an enormous number of security updates. > While I could selfishly complain about it being done on a Wednesday, my > real issues are the following: > > - it seems deliberate that the same alert ID tag was reused > (FEDORA-2008-1435 and FEDORA-2008-1535), it would seem to be a bit > confusing to refer to multiple alerts with the same ID, take a peek at: > > http://lwn.net/Alerts/Fedora/ > > to see what I mean. Basically there are to be considered just two updates, FEDORA-2008-1535 for Fedora 8 gecko-libs issues and FEDORA-2008-1435 for Fedora 7 gecko-libs issues. What is confusing here is that the announcement was split across separate mails for each package. We are currently tracking the problem for the the update system [1]. [1] https://fedorahosted.org/fedora-infrastructure/ticket/392 > - those were all related to the same gecko vulnerabilites, which is what > (I presume) motivated reusing the same IDs, but at least one (perhaps > two, I can't remember for sure) of those, ruby-gnome2 also fixed a > separate CVE that was unrelated to the mozilla pile > > - How is it that so many packages were affected by these mozilla vulns? > Are they statically linked? Reusing the code? Have very restrictive > dynamic library version numbers? It just seems that a vulnerability in > a component shouldn't necessarily have this kind of cascading effect. Due to upstream (Mozilla) policy on ABI stability, all packages that are dynamically linked to gecko libraries need to be rebuilt. (So basically you were correct, it's the "restrictive dynamic library version numbers"). This is definitely not ideal, but also not our fault -- situation is expected to improve a lot with advent of xulrunner in Fedora 9 though. I'm not expert on this, I might redirect you to our Mozilla guys if you need more information. They are all pushed as a single update to prevent dependency breakage and if the update contains a security fix it is marked as security update. It is possible that attack vectors don't exist for many of the packages. > - Overall, we have been noticing a decline in the quality of Fedora > security alerts. They are often missing basic information about what > bug they are fixing (other than perhaps a reference to bugzilla, > sometimes a link to the CVE). I think if you read a lot of those alerts > as if you were just a plain old user, you would find that some provide > very little useful information to try and determine what problem is > being fixed. I can provide examples if necessary. Is there something > that can be done to standardize the format a bit? We are attempting to concentrate the detail of fixed issues in bugzilla, while using descriptive titles of bugs. The update description relies upon decision of the maintainers. I was personally convinced that it is nod needed provided references to bugzilla are good enough. What can be done is to motivate the maintainers to provide useful descriptions. Luke: Would it be possible to complement "Notes:" in bodhi with something like: "Please provide 2-3 sentences to briefly describe nature of each of problems being fixed" or something like that? Thanks, -- Lubomir Kundrak (Red Hat Security Response Team) -- Fedora-security-list mailing list Fedora-security-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-security-list
