Hi, On Fri, 2008-02-08 at 21:16 -0800, Bryan O'Sullivan wrote: > A bug in a piece of widely used PHP-based software was announced a few > days ago, and it's now being actively exploited by spammers: > > http://wordpress.org/development/2008/02/wordpress-233/ > > Affected machines include my server, which is running F-8. Eep. Pardon me -- my point of view is by using wordpress you voluntary agree to get exploited, and no wordpress vulnerability is ever to be considered as having priority higher than low. > If a package maintainer doesn't turn a security fix around quickly, is > it reasonable (albeit a bit less than totally polite) to step in and do > the update oneself, assuming the ACLs permit it? > > In this case, I found that jwb was already making the necessary edits > just as I was checking the wordpress module out of CVS, which is cool, > but what's the general it's-a-weekend-and-everyone's-gone-skiing practice? During the week Fedora Security Response team actively monitors various sources of flaws and if something that needs immediate action arises, we take that action promptly. If the maintainer is unavailable, fix exists and ACLs permit, we do the fixing. If ACLs don't exist, there still are admins with super powers, so they can commit. During weekends we can not gaurantee that we will fix whatever arises in a day, due to our hours off and possibly releng having a weekend too. I'd say we can be confident that security features of properly Fedora such as FORTIFY_SOURCE, ExecShield and SELinux together with responsible configuration (firewall, etc.) lowers possibility of exposure to something really serious to minimum. Please note that responsible configuration in most cases implies no WordPress. Don't get me wrong please -- look at its security track. PS: Note we may be on during weekends too anyways -- as I am now. Remember we fixed a security issue on Christmas Eve. Thanks, -- Lubomir Kundrak (Red Hat Security Response Team) -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list