Fwd: Fwd: CVE Tracking Bugs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Huzaifa,

Thank you for your response and for getting it to me despite the issues
with the mailing list.

You have to subscribe[1] to the devel list to post to it. There
has been a lot of good discussion about this on the ML since my
original post[2].

I am forwarding this to the list to keep the community in the
loop. I will respond in more detail later.

[1]: https://lists.fedoraproject.org/admin/lists/devel.lists.fedoraproject.org/
[2]: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/thread/ETPDV57SDTABYN6P6MGRZWRRCXVFLPZD/

Best,
Maxwell

Forwarded message from Huzaifa Sidhpurwala on Sat Sep 17, 2022:
Hello Max,

Pete tried to send this email to devel list, but it got rejected, so i
thought i will forward this to you directly.


---------- Forwarded message ---------
From: Pete Allor <pallor@xxxxxxxxxx>
Date: Wed, Sep 14, 2022 at 6:47 AM
Subject: Fwd: CVE Tracking Bugs
To: Huzaifa Sidhpurwala <huzaifas@xxxxxxxxxx>, Przemyslaw Roguski <proguski@xxxxxxxxxx>, Clifford Perry <cperry@xxxxxxxxxx>


Can you all get this email to Maxwell?????

---------- Forwarded message ---------
From: <devel-owner@xxxxxxxxxxxxxxxxxxxxxxx>
Date: Tue, Sep 13, 2022 at 9:13 PM
Subject: Re: CVE Tracking Bugs
To: <pallor@xxxxxxxxxx>


Your message to the devel mailing-list was rejected for the following
reasons:

The message is not from a list member

The original message as received by Mailman is attached.



---------- Forwarded message ----------
From: Pete Allor <pallor@xxxxxxxxxx>
To: devel@xxxxxxxxxxxxxxxxxxxxxxx
Cc:
Bcc:
Date: Tue, 13 Sep 2022 20:49:04 -0400
Subject: Re: CVE Tracking Bugs
Maxwell,
One of my folks pointed this post out to me today.   From a ProdSec
perspective, you can reach out directly to me.

The PSIRT Team and their work on CVEs report up through me, so I will be
glad to have a discussion with you and why my folks are not supporting you
fully and how to fix that.

I think the main thrust you are pointing to is that as the CNA for Fedora,
we should not be mixing all Red Hat errata into the Fedora project.
 Meaning keeping them more separated and distinct.   That may not address
all concerns, but I think it would be a good starting point to keep the
focus correct and distinct, not overload on messages and bring attention to
what is critical / important so they are not missed.

I am traveling this week.   Can we set a meeting next week to discuss
further?

Pete


***********************
Hi Fedorians,

I think the security tracking bug filing process needs to be amended. The
current process is quite frustrating for me and other contributors. This
is especially bad for Go CVEs, which there are lot of.

Red Hat Product Security creates a single tracking bug for Fedora{, EPEL}
_and_ all Red Hat products and CCs a bunch of Fedora maintainers. They
then create separate bugs for each package that they deem affected. The
affected packages are oftened determined in a manner that appears
overzealous and arbitrary.

After the bugs are created, we get spammed with a bunch of notifications
about private bugs, RH product errata, and various other things that are
completely irrelevant to Fedora. These messages flood my Bugzilla mailbox
and obscure actual issues that I need to address. I do not really care
whether a Go CVE has been mitigated in Red Hat Advanced Cluster
Management for Kubernetes 2.4 for RHEL 8"
or "Red Hat Advanced Cluster Management for Kubernetes 2.5 for RHEL 8"
or  "Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8."

---

Some particularly egregious examples:

I maintain an Ansible kubernetes collection, and they reported it as
vulnerable to some CVE with a specific Openshift component. The
collection not vulnerable. They provided no actionable information, and
the description was unclear. When I asked why it was reported, they said
that the package "used OpenShift."

A couple Go CVEs ago[^1], they created bugs against hundreds of Go
libraries. They arbitrarily chose branches and packages. The bugs were
not actionable by packagers of individual go libraries. Only applications
that provide binaries need to be rebuilt. They were reported shortly
before the F34 EOL, so we got a huge amount of emails after the bugs were
automatically closed. In fact, a Go packager reported that these messages
from the _security_ team DOSed their mail server. To their credit, they
have fixed this issue after one of the other Go SIG people talked to
them. Now, these bugs are only filed against the golang component.

[^1]: Really, it was a couple Go releases ago. There are multiple CVEs
reported with each Go release these days.

Another time, their automation posted the exact same comment over 200
times.

---

First and foremost, there needs to be a clear way for packagers to report
problems with this process to prodsec.

I don't think Fedora packagers should be CCed on these global trackers.
We could create a separate "Security Response" component under the
"Fedora" Bugzilla product to create tracker bugs for CVEs that affect
multiple Fedora components, or we could ask prodsec to only CC Fedora
maintainers on the child, package-level bugs. I guess I could acomplish
what I'm proposing by filtering out mails with "X-Bugzilla-Product:
Security Response" headers and not have gone on this rant, but I still
think this needs to be addressed.

Does anyone know how to reach prodsec about this?
--
Best,

Maxwell G (@gotmax23)
Pronouns: He/Him/His
******************************

-- 
Pete Allor, Director, Red Hat Product Security - Secure Engineering
(m) 1-404-200-4630


-- 
Pete Allor, Director, Red Hat Product Security - Secure Engineering
(m) 1-404-200-4630


-- 
Regards,

Huzaifa Sidhpurwala
Senior Principal Product Security Engineer / Red Hat Product Security

Attachment: signature.asc
Description: PGP signature

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux