On Tue, 2008-03-11 at 12:25 -0600, Kevin Fenzi wrote: > On Mon, 10 Mar 2008 12:20:08 -0600 > Jake Edge <jake@xxxxxxx> wrote: > > Feel free to keep beating... ;) This stuff needs to improve. :( > > > but I am trying to puzzle out the kronolith advisories. They do not > > include either a CVE reference or a bugzilla reference. One contains > > the changelog, one not. And the description of the problem is as > > follows: > > > > Fix privilege escalation in Horde API. Fix missing ownership > > validation on share changes. > > > > This is for FEDORA-2008-2221 and FEDORA-2008-2212. > > > > How am I (or anyone) supposed to figure out what's going on here? > > Not easily. ;( > > Kronolith upstream seems pretty happy go lucky. They fixed these things > in their cvs with no upstream bugs filed. As far as I know they never > requested a CVE or anything like it. Their viewcvs setup makes it > pretty impossible to see what changed. They added other changes into > this release instead of just releasing just the security updates, etc. > > Manually pulling down the two releases and diffing them, got me the > changes, but messy. ;( > > So, what should we do in this case? > > It really is a security update... should we always file > redhat.bugzilla.com bugs and make sure they are updated with info? > > Should we file upstream bugs and ask them to explain the changes? > > Should we request a CVE and wait for that before pushing the update? > > Some guidelines here would be good... Who approved these? I noticed this before it got pushed and asked the maintainer to sort the things out (add references to bugs, file them eventually). -- Lubomir Kundrak (Red Hat Security Response Team) -- Fedora-security-list mailing list Fedora-security-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-security-list
