On Thu, Apr 17, 2014 at 03:11:38PM +0200, drago01 wrote: > On Thu, Apr 17, 2014 at 3:02 PM, Chuck Anderson <cra@xxxxxxx> wrote: > > On Thu, Apr 17, 2014 at 02:52:41PM +0200, drago01 wrote: > >> On Thu, Apr 17, 2014 at 2:51 PM, Chuck Anderson <cra@xxxxxxx> wrote: > >> > On Wed, Apr 16, 2014 at 11:23:15PM +0200, drago01 wrote: > >> >> On Wed, Apr 16, 2014 at 9:11 PM, Kevin Fenzi <kevin@xxxxxxxxx> wrote: > >> >> > Greetings. > >> >> > > >> >> > We have new f19/f20 images with openssl updated, and they appear to be > >> >> > default/live already. > >> >> > > >> >> > Were we waiting for some testing runs on them before announcing? > >> >> > (Which we should have done before making them live, imho) > >> >> > > >> >> > Or did that already happen? > >> >> > > >> >> > Did we want to do a full test cycle on them? > >> >> > Or just openssl related actions? > >> >> > >> >> Huh? > >> >> > >> >> Since when do we do something like this? Sounds like an over reaction to me. > >> >> Installing (security) updates is the first thing you should do after > >> >> installing anyway and besides who decided this and when? > >> >> What are the criteria for doing updated images? > >> > > >> > Live images can't be updated... > >> > >> 1) They can > >> 2) Live images are not supposed be used for production .. > > > > 1) Sure if you have a persistent live image on a USB I suppose. But > > with CD/DVD media, you cannot update and then reboot as is necessary > > to fix the issue. You can manually restart all processes/services > > that were linked against the old openssl I suppose, but you would have > > to go through this dance after every single boot to remove this > > vulnerability. > > Which service do we install and run by default that uses OpenSSL and > is configured to use SSL on the live media? > -> Answer is none. > > > 2) Live images could be used to rescue/repair a production > > environment, > > See above. > > > or could be used as a client to access a production > > environment. For example one could be using "curl" which is linked > > against the bad openssl. > > curl is a client. Clients ARE affected: http://security.stackexchange.com/questions/55119/does-the-heartbleed-vulnerability-affect-clients-as-severely Does anaconda or yum use OpenSSL? Because then "yum updates" and "liveinst" are potentially affected. Does libvirt/virt-manager/virt-viewer use OpenSSL? Because I could certainly see a sysadmin using a Live image to run virt-manager/virt-viewer to connect over the network via SSL to a hypervisor. Do VNC/RDP clients use OpenSSL? rdesktop is linked against an OpenSSL library. It may be possible to exploit it. > > We shouldn't leave our users exposed if they > > decide to use a live image, especially since I don't think it is > > documented anywhere that "these images are unsuitable for use in a > > production environment". > > There are unsuitable by their very nature of being live images. Why are we shipping unsuitable software then? -- test mailing list test@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
