Re: Making Fedora secure - Package exit policy for security

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 08/01/2018 01:46 AM, Daniel P. Berrangé wrote:

> The list of ImageMagick CVEs is horrific - 59 open CVEs - for something
> that is often going to be used in a scenario where it is fed untrustworthy
> images.  exiv2 is pretty concerning too with 19 open CVEs, again for
> something often used with untrustworthy input images :-(

Yeah, but this is a good example. I haven't looked at the current crop,
but I did an update for ImageMagick a while back that fixed a gigantic
ton of CVE's. On looking at them however, they were almost all filed
from someone running a fuzzer over the source. Upstream then fixed the
issues which is great, but in many cases they noted it was very
hard/impossible to make an expolit out of them for various reasons.

So, just seeing 59 CVE's doesn't tell the whole story.

I'm not sure what the answer is here, I'm pretty sure there's no one
simple answer. Perhaps a combo of concentrating on the important ones
and making things more visible (generate a list of the important ones
asking for help once a cycle?).

kevin



Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/message/GGFEGN3KP4AK6O7PFEK3XKM4Q23AIGSH/

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux