On Wed, Nov 4, 2020 at 9:10 AM Huzaifa Sidhpurwala <huzaifas@xxxxxxxxxx> wrote: > > I dont think creating 5 bugs per CVE is a correct statement here. We create one bug per product per CVE. > > So if fedora is affected with a node.js, we create one fedora tracker per CVE. The tracker should block the CVE bug, so it should be easy to find. Also you can search for bugs with SecurityTracking whiteboard if you cant find otherwise. > > Let me know if you need help, in tracking your fedora security bugs :) > > ----- Original Message ----- > From: "Stephen Gallagher" <sgallagh@xxxxxxxxxx> > To: "Development discussions related to Fedora" <devel@xxxxxxxxxxxxxxxxxxxxxxx> > Sent: Wednesday, November 4, 2020 8:31:32 PM > Subject: Re: Fedora Security Team > > > > On Tue, Nov 3, 2020 at 11:39 AM Marek Marczykowski-Górecki < marmarek@xxxxxxxxxxxxxxxxxxxxxx > wrote: > > > On Tue, Nov 03, 2020 at 10:02:24AM +0000, P J P wrote: > > * Right, Fedora package CVEs and relevant bugs are filed by Red Hat Product security team. > > > > * CVEs/bugs are fixed in the upstream sources first. Fedora package maintainers do rebuild > > of the package with released fixes. > > I see currently over 1000 such tracking bugs[1]. > I realize it some cases it may be missing upstream fix and it is not a > Fedora package maintainers responsibility to develop a fix (although > anyone can help upstream to develop a fix). But by looking at few random > items there, it seems the fix is available in a subsequent upstream > release and what is missing is just bumping the package version in > Fedora. In some (many?) cases, the newer package is even already there, > but the missing part is closing related tracking bug (and I'd guess the > update lacked info it was a security fix, but I haven't verified that). > > > I'm definitely guilty of the latter part, particularly for Node.js. > > Generally, whenever Node.js issues a security release, they do so for multiple issues simultaneously. When Product Security then goes and creates Bugzilla tickets, they create many (sometimes up to five bugs per CVE). It becomes nearly impossible to keep up with the bug maintenance in such situations. The process is just too heavyweight and I often end up just doing the upstream releases and ignoring the BZs. > > If we want this to be more accurate, we really need to have a more streamlined and/or automated solution for these issues. The multiple bugs I see are for RHEL as well. There is typically only 1 for Fedora. If you need a query to see open Fedora CVE bugs on kernel, I use: https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=MODIFIED&bug_status=ON_DEV&bug_status=ON_QA&bug_status=VERIFIED&bug_status=RELEASE_PENDING&bug_status=POST&classification=Fedora&component=kernel&keywords=Security&keywords_type=anywords&list_id=11463462&order=Bug%20Number&product=Fedora&query_format=advanced Simply replace the component=kernel with your packages and keep a bookmark. I track it every morning, and it is fairly easy to stay on top of, though the kernel probably gets more CVEs than most packages, so maybe daily is overkill for some. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
