Re: CVE Tracking Bugs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi all,

On Wed, Sep 07, 2022 at 06:04:14PM +0000, Maxwell G via devel wrote:
> Hi Fedorians,
> 
> I think the security tracking bug filing process needs to be amended. The
> current process is quite frustrating for me and other contributors. This is
> especially bad for Go CVEs, which there are lot of.
> 
> Red Hat Product Security creates a single tracking bug for Fedora{, EPEL}
> _and_ all Red Hat products and CCs a bunch of Fedora maintainers. They then
> create separate bugs for each package that they deem affected. The affected
> packages are oftened determined in a manner that appears overzealous and
> arbitrary.
> 
> After the bugs are created, we get spammed with a bunch of notifications
> about private bugs, RH product errata, and various other things that are
> completely irrelevant to Fedora. These messages flood my Bugzilla mailbox
> and obscure actual issues that I need to address. I do not really care
> whether a Go CVE has been mitigated in Red Hat Advanced Cluster Management
> for Kubernetes 2.4 for RHEL 8"
> or "Red Hat Advanced Cluster Management for Kubernetes 2.5 for RHEL 8" or 
> "Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8."
>

An unrelated issue, but also not ideal:

some engineers at my company worked on fixing some Eternal Terminal
(package: et) security issues. Those are fixed, we pushed out updated
packages, then went through the CVE process...

Then CVEs get filed against both Fedora and EPEL, warning against
versions < 6.2.0 ... while 6.2.1 has been in stable updates for months.

https://bugzilla.redhat.com/buglist.cgi?bug_status=__closed__&classification=Fedora&component=et&list_id=12953025&product=Fedora&product=Fedora%20EPEL&query_format=advanced&short_desc=CVE&short_desc_type=allwordssubstr

Feedback to RH prodsec people -- if the process right now assumes every
package built before the CVE is public is affected, this might not work
well for fixes released while under embargo.

Thanks,

-- 
Michel Alexandre Salim
identities: https://keyoxide.org/5dce2e7e9c3b1cffd335c1d78b229d2f7ccc04f2

Attachment: signature.asc
Description: PGP signature

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux