On Mon, 10 Mar 2008 12:20:08 -0600 Jake Edge <jake@xxxxxxx> wrote: Feel free to keep beating... ;) This stuff needs to improve. :( > but I am trying to puzzle out the kronolith advisories. They do not > include either a CVE reference or a bugzilla reference. One contains > the changelog, one not. And the description of the problem is as > follows: > > Fix privilege escalation in Horde API. Fix missing ownership > validation on share changes. > > This is for FEDORA-2008-2221 and FEDORA-2008-2212. > > How am I (or anyone) supposed to figure out what's going on here? Not easily. ;( Kronolith upstream seems pretty happy go lucky. They fixed these things in their cvs with no upstream bugs filed. As far as I know they never requested a CVE or anything like it. Their viewcvs setup makes it pretty impossible to see what changed. They added other changes into this release instead of just releasing just the security updates, etc. Manually pulling down the two releases and diffing them, got me the changes, but messy. ;( So, what should we do in this case? It really is a security update... should we always file redhat.bugzilla.com bugs and make sure they are updated with info? Should we file upstream bugs and ask them to explain the changes? Should we request a CVE and wait for that before pushing the update? Some guidelines here would be good... > jake kevin
Attachment:
signature.asc
Description: PGP signature
-- Fedora-security-list mailing list Fedora-security-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-security-list
