Mailing List Archive

Sven Beukenex wrote:

>On Sat, 08 Jan 2005 12:18:22 -0600, Lance Albertson <ramereth@gentoo.org> wrote:
>
>
>>Peter Simons wrote:
>>
>>
>>>Miguel Filipe writes:
>>>
>>> > I came "sounding like an ass"? Why is that?
>>>
>>>Because you criticized the Gentoo project. It works like
>>>this: You bring up a security problem. In the replies you
>>>get, though, your actual point is flat out dismissed or
>>>never addressed at all. Instead, you and your behavior will
>>>be discussed in a very provoking manner. Once you have been
>>>thoroughly annoyed and insulted, you become defensive and
>>>lose focus of what you were trying to say in the first
>>>place! Thus, the discussion drifts away from the security
>>>problem.
>>>
>>>
>>Peter, please don't start your rant again.
>>
>>
>>
>>> > Because I talked about a LOCAL ROOT EXPLOIT ..that isn't
>>> > mentioned in the GENTOO SECURITY ML because its in the
>>> > bugs repository?
>>>
>>>The advantage of dealing with security problems _only_ in
>>>the bug tracking system is that practically nobody follows
>>>the bug tracking system -- whereas lots of people read the
>>>mailing list. Thus, there is less transparency, which means
>>>more freedom for the Gentoo core team to deal with security
>>>problems in a way that doesn't interfere with internal
>>>politics (read: egos).
>>>
>>>
>>The reason you haven't seen an email about it is because security
>>advisories get sent to gentoo-announce. It was decided a few years ago
>>to move those emails from here to there because there were a lot more
>>people on that list. The other reason you haven't seen any email about
>>this from us is because we go through a process to make sure all the
>>ebuilds are updated before we release an announcement (which is
>>documented on our site [1] ). Its not being ignored one bit, its just
>>not very visible unless you follow bugs.
>>
>>
>
>You send the _security_ advisories to _announce_ because more people
>are subscribed to it?
>You only announce problems _after_ a fix is made??? Did it occur to
>any of you that people might want to disable vulnerable sevices or
>even *gasp* help produce fixes for the problems?
>We have to watch bugs.gentoo to get a total picture?
>
>I couldn't agree more with Peter, this ML is about as usefull as a
>bicycle is to a fish.
>
>
>
The absolute outrage and lack of manners here is very
disappointing. Now I would be one to agree that it's quite backwards,
but the documentation clearly states where all the GLSA's are
announced. Someone already stated that one could subscribe to
security@gentoo.org on bugzilla. Then people complain that it would be
too much traffic, filtering the crap from the actual vulnerabilities.
As if forwarding all the traffic to the list would be any better, or any
different? Either way anyone that subscribes is going to get useless
bugs that were misassigned, or already patched, or are downright bogus,
god forbid they have to sort through them all.


>>> > If issues like a LOCAL ROOT EXPLOIT aren't mentioned
>>> > here, WHY THE HELL does this ML exist?
>>>
>>>As it happens, I have a concrete proposal how to make this
>>>list more useful! How about having the bug tracking system
>>>forward all new security-related entries to this mailing
>>>list automatically? This policy would (a) increase
>>>transparency and (b) help finding volunteers from the
>>>community who care enough about a problem to be willing to
>>>dedicate time to fixing it. Thus: less work for the Gentoo
>>>core team, more security for everybody.
>>>
>>>
>>Add a watch on the bugs site like was previously mentioned. Perhaps that
>>should be better documented so people like him can follow things like that.
>>
>>
>>
>>> > Where is explained that those who want to follow security
>>> > issues that may affect thier systems should track
>>> > bugs.gentoo.org?
>>>
>>>I'd very much like to see an answer to this question. The
>>>page <http://security.gentoo.org/> doesn't seem to say
>>>anything about.
>>>
>>>
>>See above. If this needs to be added, make a bug about it.
>>
>>[1] http://www.gentoo.org/security/en/vulnerability-policy.xml
>>
>>-Lance
>>
>>
>>--
>>gentoo-security@gentoo.org mailing list
>>
>>
>>
>>


--
Alec Warner
Spartasoft Secretary ( spartasoft.msu.edu )
Junior Computer Science
Michigan State University
warnera6@egr.msu.edu


--
gentoo-security@gentoo.org mailing list

On Sat, 08 Jan 2005 14:02:06 -0500, Alec <warnera6@egr.msu.edu> wrote:

> >You send the _security_ advisories to _announce_ because more people
> >are subscribed to it?
> >You only announce problems _after_ a fix is made??? Did it occur to
> >any of you that people might want to disable vulnerable sevices or
> >even *gasp* help produce fixes for the problems?
> >We have to watch bugs.gentoo to get a total picture?
> >
> >I couldn't agree more with Peter, this ML is about as usefull as a
> >bicycle is to a fish.
> >
> >
> >
> The absolute outrage and lack of manners here is very
> disappointing. Now I would be one to agree that it's quite backwards,
> but the documentation clearly states where all the GLSA's are
> announced. Someone already stated that one could subscribe to
> security@gentoo.org on bugzilla. Then people complain that it would be
> too much traffic, filtering the crap from the actual vulnerabilities.
> As if forwarding all the traffic to the list would be any better, or any
> different? Either way anyone that subscribes is going to get useless
> bugs that were misassigned, or already patched, or are downright bogus,
> god forbid they have to sort through them all.
>
>
> --
> Alec Warner
> Spartasoft Secretary ( spartasoft.msu.edu )
> Junior Computer Science
> Michigan State University
> warnera6@egr.msu.edu
>
>

What I find disappointing is that you react in this way to my mail,
not to the flames the original poster got. The only reason I reacted
this strongly is because frankly, _I_ am outraged that people who
raise serious questions or here are treated like filth.
Please look at the original post again, do you actually think Mike
Frysinger is right in calling Miguel an ass?

--

Why are the pretty ones always insane?
-- J.G. Thirlwell

--
gentoo-security@gentoo.org mailing list

The last 20 posts have had nothing practical to do with this local root
exploit. If it's the policy that this list is not used as a forum to
notify people of *major* security exploits even before the fix is released
then there's nothing to talk about. A policy is a policy. However, if
this project is supposed to be community based and democratic and a
majority of people think that it will increase it's efficiency and
effectiveness to have notifications posted to this list, then maybe the
people should take notice and consider it, rather than throwing around
insults. Maybe the user base on this list should be consulted on what
they think is best?

If not, that's fine, but nobody should have illusions about the gentoo
community having an easily accesible avenue to receive *extremely
important* notifications, even without a fix, such as these. Nor should
they delude themselves in thinking that they respond appropriately to the
concerns of their userbase. Subscribing to a bug tracking list to track
local and remote root exploits is an unreasonable request to make of
sysadmins who frankly don't have the time to deal with it. As many others
have already mentioned, this isn't good enough. Is there some other
solution we can work towards?



k.

--
gentoo-security@gentoo.org mailing list

Sorry for interrupting this flamewar....

A simplified patch has been included in 2.6.10-bk. It can be found at

http://linux.bkbits.net:8080/linux-2.5/cset%401.2251?nav=index.html

or below.

I have only tested this patch on 2.6.10-mm2, and there it is *not*
sufficient. The machine does an instant reset, just as without the patch
or the older version from 2.4.

Regards

# This is a BitKeeper generated diff -Nru style patch.
#
# ChangeSet
# 2005/01/07 15:58:52-08:00 torvalds@ppc970.osdl.org
# Fix do_brk() locking in library loader
#
# The regular executable loader path doesn't need the locking,
# because it's the only user of its VM. But the same is not true
# at library load time. So get the mmap semaphore.
#
# fs/binfmt_aout.c
# 2005/01/07 15:58:44-08:00 torvalds@ppc970.osdl.org +2 -0
# Fix do_brk() locking in library loader
#
# fs/binfmt_elf.c
# 2005/01/07 15:58:45-08:00 torvalds@ppc970.osdl.org +4 -1
# Fix do_brk() locking in library loader
#
diff -Nru a/fs/binfmt_aout.c b/fs/binfmt_aout.c
--- a/fs/binfmt_aout.c 2005-01-08 12:21:32 -08:00
+++ b/fs/binfmt_aout.c 2005-01-08 12:21:32 -08:00
@@ -512,7 +512,9 @@
len = PAGE_ALIGN(ex.a_text + ex.a_data);
bss = ex.a_text + ex.a_data + ex.a_bss;
if (bss > len) {
+ down_write(&current->mm->mmap_sem);
error = do_brk(start_addr + len, bss - len);
+ up_write(&current->mm->mmap_sem);
retval = error;
if (error != start_addr + len)
goto out;
diff -Nru a/fs/binfmt_elf.c b/fs/binfmt_elf.c
--- a/fs/binfmt_elf.c 2005-01-08 12:21:32 -08:00
+++ b/fs/binfmt_elf.c 2005-01-08 12:21:32 -08:00
@@ -1024,8 +1024,11 @@

len = ELF_PAGESTART(elf_phdata->p_filesz + elf_phdata->p_vaddr +
ELF_MIN_ALIGN - 1);
bss = elf_phdata->p_memsz + elf_phdata->p_vaddr;
- if (bss > len)
+ if (bss > len) {
+ down_write(&current->mm->mmap_sem);
do_brk(len, bss - len);
+ up_write(&current->mm->mmap_sem);
+ }
error = 0;

out_free_ph:

--
gentoo-security@gentoo.org mailing list

Thank you!

I was about to send a email, asking if anyone knew a patch for
linux2.6.10 since both marcelo tossati and alan cox fixes were not
"approved" by linus torvalds.



On Sat, 8 Jan 2005 21:51:06 +0100, Marc Ballarin <Ballarin.Marc@gmx.de> wrote:
> Sorry for interrupting this flamewar....
>
> A simplified patch has been included in 2.6.10-bk. It can be found at
>
> http://linux.bkbits.net:8080/linux-2.5/cset%401.2251?nav=index.html
>
> or below.
>
> I have only tested this patch on 2.6.10-mm2, and there it is *not*
> sufficient. The machine does an instant reset, just as without the patch
> or the older version from 2.4.
>
> Regards
>
> # This is a BitKeeper generated diff -Nru style patch.
> #
> # ChangeSet
> # 2005/01/07 15:58:52-08:00 torvalds@ppc970.osdl.org
> # Fix do_brk() locking in library loader
> #
> # The regular executable loader path doesn't need the locking,
> # because it's the only user of its VM. But the same is not true
> # at library load time. So get the mmap semaphore.
> #
> # fs/binfmt_aout.c
> # 2005/01/07 15:58:44-08:00 torvalds@ppc970.osdl.org +2 -0
> # Fix do_brk() locking in library loader
> #
> # fs/binfmt_elf.c
> # 2005/01/07 15:58:45-08:00 torvalds@ppc970.osdl.org +4 -1
> # Fix do_brk() locking in library loader
> #
> diff -Nru a/fs/binfmt_aout.c b/fs/binfmt_aout.c
> --- a/fs/binfmt_aout.c 2005-01-08 12:21:32 -08:00
> +++ b/fs/binfmt_aout.c 2005-01-08 12:21:32 -08:00
> @@ -512,7 +512,9 @@
> len = PAGE_ALIGN(ex.a_text + ex.a_data);
> bss = ex.a_text + ex.a_data + ex.a_bss;
> if (bss > len) {
> + down_write(&current->mm->mmap_sem);
> error = do_brk(start_addr + len, bss - len);
> + up_write(&current->mm->mmap_sem);
> retval = error;
> if (error != start_addr + len)
> goto out;
> diff -Nru a/fs/binfmt_elf.c b/fs/binfmt_elf.c
> --- a/fs/binfmt_elf.c 2005-01-08 12:21:32 -08:00
> +++ b/fs/binfmt_elf.c 2005-01-08 12:21:32 -08:00
> @@ -1024,8 +1024,11 @@
>
> len = ELF_PAGESTART(elf_phdata->p_filesz + elf_phdata->p_vaddr +
> ELF_MIN_ALIGN - 1);
> bss = elf_phdata->p_memsz + elf_phdata->p_vaddr;
> - if (bss > len)
> + if (bss > len) {
> + down_write(&current->mm->mmap_sem);
> do_brk(len, bss - len);
> + up_write(&current->mm->mmap_sem);
> + }
> error = 0;
>
> out_free_ph:
>
> --
> gentoo-security@gentoo.org mailing list
>
>


--
Miguel Sousa Filipe

--
gentoo-security@gentoo.org mailing list

On 8 Jan 2005, at 21:13, Kris wrote:
> Maybe the user base on this list should be consulted on what they
> think is best?

The ``user base'' mostly hasn't deal with any security problems. I have
to defend Gentoo on this one. On most distributions the security lists
are closed. There are reasons for this, things shouldn't go public.
Sometimes they agree on a release date etc. Subscribe to Bugtrac etc.
if you are interested in zero-day exploits.

Gentoo's process is reasonably open as almost all is documented within
Bugzilla. You could watch security@gentoo.org easily. Sure you get much
junk, but what do you expect. I would rather see the Gentoo developers
spend time to fix the bugs and write concrete advisories than
duplicating information from the Bugzilla on this list. Some seem to
forget that all the work within Gentoo is volunteer-based. On other
distributions you only receive announcements, or you have to subscribe
to a notification list for all bugs, not only the security-related
ones.

Did you pay anyone at Gentoo? Did you donate? Did you pay somebody who
verifies all bugs and rates them and sends an announcement to this list
when he thinks one is serious enough when you are subscribed to
Bugtrac/Securityfocus anyway? Get real.

I agree with you that the behaviour of some on this list is harassing.
People could deal with others more gently. But the flamewar would start
anyway, as I have learned from the past. English isn't my mother
language either, but you shouldn't use your new learned insults to
throw them randomly to others.

Ah I should stop ranting... ):

Regards,
Philipp Kern

>Please look at the original post again, do you actually think Mike
>Frysinger is right in calling Miguel an ass?
>
>
>
I could care less. If someone thinks a policy change is necessary, then
start a discussion and file a bug about it. If the ML doesn't serve the
purpose you think it does, file a bug or unsubscribe. I'm not going to
sit here and argue about whose conduct was right or wrong, thats not the
point of the list.

--
Alec Warner
Spartasoft Secretary ( spartasoft.msu.edu )
Junior Computer Science
Michigan State University
warnera6@egr.msu.edu


--
gentoo-security@gentoo.org mailing list

On 8 Jan 2005, at 22:54, Miguel Filipe wrote:
> I was about to send a email, asking if anyone knew a patch for
> linux2.6.10 since both marcelo tossati and alan cox fixes were not
> "approved" by linus torvalds.

Perhaps you should have send us the link to the LKML entry where the
patches were denied by Linus.

Regards,
Philipp Kern

Point taken. I do not pay for the service, and I do agree that the
volunteer effort that's contributed should be directed towards
development. However, I think that if a policy change is requested by
enough people, I honestly don't think it would require that much effort to
post brief security related announcements. Just look at all the effort
being put in to crafting all this belittling banter.

Ok, maybe I misunderstand the purpose of this list? It is a security
list, and a major security hole was discovered, that affects the gentoo
kernel sources, to which I have good faith are being worked on, but we
have not been formally informed? Call me crazy, but this just isn't a
bug, it is also a security issue, which, I think, belongs on a security
list. Maybe I'm totally out of line here?

Your ranting is appreciated.

k.

On Sun, 9 Jan 2005, Philipp Kern wrote:

> On 8 Jan 2005, at 21:13, Kris wrote:
>> Maybe the user base on this list should be consulted on what they think
>> is best?
>
> The ``user base'' mostly hasn't deal with any security problems. I have to
> defend Gentoo on this one. On most distributions the security lists are
> closed. There are reasons for this, things shouldn't go public. Sometimes
> they agree on a release date etc. Subscribe to Bugtrac etc. if you are
> interested in zero-day exploits.
>
> Gentoo's process is reasonably open as almost all is documented within
> Bugzilla. You could watch security@gentoo.org easily. Sure you get much junk,
> but what do you expect. I would rather see the Gentoo developers spend time
> to fix the bugs and write concrete advisories than duplicating information
> from the Bugzilla on this list. Some seem to forget that all the work within
> Gentoo is volunteer-based. On other distributions you only receive
> announcements, or you have to subscribe to a notification list for all bugs,
> not only the security-related ones.
>
> Did you pay anyone at Gentoo? Did you donate? Did you pay somebody who
> verifies all bugs and rates them and sends an announcement to this list when
> he thinks one is serious enough when you are subscribed to
> Bugtrac/Securityfocus anyway? Get real.
>
> I agree with you that the behaviour of some on this list is harassing. People
> could deal with others more gently. But the flamewar would start anyway, as I
> have learned from the past. English isn't my mother language either, but you
> shouldn't use your new learned insults to throw them randomly to others.
>
> Ah I should stop ranting... ):
>
> Regards,
> Philipp Kern
>

--
gentoo-security@gentoo.org mailing list

On Sat, Jan 08, 2005 at 07:02:05PM +0100, Daniel Brandt wrote:
> This is suboptimal at best. There are tons of pure shit posted in
> bugzilla,

What other information do you want than bugs that are categorized as
Vulnerabilities in the Gentoo Security product? That's about the most
info you could desire, I would imagine--every vulnerability filed for
Gentoo systems.

I'd really like to help you out, but I don't see any valid points in the
above. "Pure shit" is subjective, of course, but that is the live info
that we, the devs, use. If it's sufficient for us, it's probably
sufficient for you, too.

> Interesting to note is that as soon as anyone know of a new bug and
> post about it here they are treated like idiots. This I also know
> from personal experience.
> See http://thread.gmane.org/gmane.linux.gentoo.security/598.

I don't see anybody treating you like an idiot in that link, but
whatever. Your mentioning of old grudges and ego scrapes sure makes me
take your complaint more seriously, though. Really.

> Everytime I notice new mail in this folder I realize I forgot to
> unsubscribe.. I think I just might take time to do it right now.

If that's a threat, uh, I can't say I mind. But for the record, if you
want us to change something, just try to delineate a little better what
you want changed. For instance, where you called bugzilla "pure shit," I
might have said, "Bugzilla is insufficient for my bugtracking needs fo
rthe following reasons: [insert reasons here]." See what I mean?

Hope that helps.

--
Dan Margolis
Gentoo Security/Audit

On Sat, Jan 08, 2005 at 10:31:18AM -0000, Carlos Silva wrote:
> I don't think that. a local root exploit is something bad for sysadmins.
> and sysadmins have more things to do that just watch every bug in
> bugs.gentoo.org looking for root exploits or some other security flaws.
> I think that the gentoo-security ML should "notify" us about this
> problems.

It sounds like you were unaware of the feature where you can subscribe
to *specific* bugs in bugzilla, since you mentioned that you shouldn't
have to track "every bug in bugs.gentoo.org". So perhaps that's all you
want? :)

--
Dan Margolis
Gentoo Security/Audit

On Sat, Jan 08, 2005 at 05:45:49PM +0100, Peter Simons wrote:
> The advantage of dealing with security problems _only_ in
> the bug tracking system is that practically nobody follows
> the bug tracking system -- whereas lots of people read the
> mailing list. Thus, there is less transparency, which means
> more freedom for the Gentoo core team to deal with security
> problems in a way that doesn't interfere with internal
> politics (read: egos).

Peter, this sounds, quite honestly, like you have a bit of an issue with
paranoia. This is the second time in maybe as many months in which
you've accused the Gentoo developer community of conspiring to keep you
from finding out about vulnerabilities, which is, quite honestly,
ridiculous. If we weren't devoted to the idea of openness, we wouldn't
volunteer our time with an open source project.

> As it happens, I have a concrete proposal how to make this
> list more useful! How about having the bug tracking system
> forward all new security-related entries to this mailing
> list automatically? This policy would (a) increase
> transparency and (b) help finding volunteers from the
> community who care enough about a problem to be willing to
> dedicate time to fixing it. Thus: less work for the Gentoo
> core team, more security for everybody.

It's not terribly difficult to subscribe to bugzilla, and I don't see
how the added effort of doing so implies a deliberate attempt to hide
the vulnerability process. As for advertising security entries on this
list, there are currently 81 unclosed bugs in the security product. The
turnover rate is quite high, and the volume of mail would clutter this
list and, in my personal opinion, make it more difficult to use this
list for what it is meant to be: security discussion. Given that infra
apparently feels the same way, the fastest solution for your personal
needs might be for you to sign up a Yahoo! group that is subscribed to
security bugs on Bugzilla.

The point here is that anyone can form a list with any internal
information. It's all there. The entire process is open, and any
accusations of conspiratorial secrecy are really quite hard to take
seriously. It's not just that we don't hide info, we actually publicise
it quite well. We send GLSAs to not just our own lists, but to a number
of public lists. We publish GLSAs in an RDF feed. We make Bugzilla
entries available on the web, via e-mail, and even in iCal format
(pretty slick, eh?).

So seriously, Pete, if you want to find a conspiracy, try the White
House. You won't find one here.
--
Dan Margolis
Gentoo Security/Audit

Dan Margolis writes:

> Peter, this sounds, quite honestly, like you have a bit
> of an issue with paranoia.

Dan, this sounds, quite honestly, like you are side-stepping
my points by attacking me instead of my argument. And
attacking people who argue to increase security by calling
them PARANOID of all things is disappointingly uninventive
at that. Maybe this little example helps illustrating why ad
hominem attacks are considered logical fallacies:

"Isaac Newton was a prick. If you ever read about the way
he behaved, you'll see that. Therefore, force does not
equal mass times acceleration."

Now it's your turn to say: "You are comparing yourself to
Isaac Newton now? You clearly are megalomaniac, so posting
security problems to this list once they are known is not a
good idea."


> As for advertising security entries on this list, there
> are currently 81 unclosed bugs in the security product.
> The turnover rate is quite high, and the volume of mail
> would clutter this list and, in my personal opinion, make
> it more difficult to use this list for what it is meant
> to be: security discussion.

Look, this may come as a shock, but entries in the Gentoo
bug tracking system actually feature all kinds of meta
information, like severity, categorization of the problem,
categorizations of every modification made to the bug, and
whatnot else. If I am not mistaken, Bugzilla comes with an
excessive array of mechanisms that allow you to configure
which events are forwarded via e-mail and which ones are
not.

For instance: If a _new_ entry is made, the bug's
description and URL to the page in bugs.gentoo.org could be
forwarded to the list, but all the 200+ additional comments
appended to it in the process of ebuild hackery and other
administrative problems could NOT be forwarded. So the
interested reader would be informed about every bug and
could decide himself which ones to follow in detail through
the bug tracking system and which ones to ignore.

I realize text filtering techniques are still a very
experimental branch of information theory research, but I
thought Gentoo was the kind of bleeding-edge distribution
that embraced wild and promising technologies? Where is your
spirit of adventure? Why don't you use your imagination to
come up with ways to improve the situation, rather than
coming up with reasons why it is utterly impossible to
improve the situation?


> Given that infra apparently feels the same way, the
> fastest solution for your personal needs might be for you
> to sign up a Yahoo! group that is subscribed to security
> bugs on Bugzilla.

I sure could set up all kind of mailing lists and forward
all kinds of stuff to it for my personal pleasure, but that
doesn't really improve the utilization of _this_ list, does
it?


> It's not just that we don't hide info, we actually
> publicise it quite well. We send GLSAs to not just our
> own lists, but to a number of public lists. We publish
> GLSAs in an RDF feed.

The difference between advisories that are published once a
bug is fixed and advisories that are published once the bug
is known is subtle, I know. So by all means, keep mixing it
up. It's not like anybody minds explaining the same things
over and over again because you are attacking strawmans
instead of the point being made.


> We make Bugzilla entries available on the web, via
> e-mail, and even in iCal format (pretty slick, eh?).

I am impressed. All these people who have been wondering why
an exploit that allows local users to gain superuser
privileges hasn't been published on this mailing list
although it was known and reported to Gentoo should probably
install iCal, and then little disappointments like that
would be a thing of the past.

Frankly, ridiculing your points is so damn easy it's not
even fun. The little gremlin on my shoulder thinks you are
doing that on purpose to annoy me. I just hope he is wrong!
Wait a second. There's someone at the door ...


--
gentoo-security@gentoo.org mailing list

Dan Margolis writes:

> Carlos Silva writes:

>> A local root exploit is something bad for sysadmins.
>> [...] I think that the gentoo-security ML should
>> "notify" us about this problems.

> It sounds like you were unaware of the feature where you
> can subscribe to *specific* bugs in bugzilla [...].

That sounds awesome, Dan. Could you please post the URL of
the bug that we all can subscribe to in order to learn about
new local root exploits once they are known?

Peter


--
gentoo-security@gentoo.org mailing list

Going around about the purpose of the list every month or so seems a little
unnecessary, in my opinion. I hope that delineating 'discussion' from
'notification' might help.

This list is for 'security discussion', not 'security notification'. Also
Simple. Posting, positing, and discussing known or potential vulnerabilities
here is perfectly within bounds.

Attacking individuals in any online format is almost certainly bound to create
a flame-war, and doesn't help the quality or signal to noise ratio of the
'discussion'.

If you want *notification* to monitor the security of Gentoo, monitor
Bugzilla's 'security' component. Simple. There, the answer is in the open.

The GLSA's and the 'security' component in Bugzilla provide 'full coverage'
and a highly configurable *notification* interface, so I don't see any need
to extend yet another *notification* interface by cluttering this
*discussion* list.

The original post of the vulnerability that spawned this thread was likewise a
good deed, and we should encourage people to post things that they think the
list or the broader community should be aware of. Good Job, Keep it up.

Discussing ways of closing a vulnerability is clearly 'in scope' for the
purpose of this list, as the broader community may have ideas. Good Job,
Keep it up. I've gotten good ideas from this list in general, and from
specific inquiries I've made in the past on this list. Posting a link to the
bug was also a great 'full disclosure' response. Good Job, Keep it up.

Regards,

- Brian

--
gentoo-security@gentoo.org mailing list

Going around about the purpose of the list every month or so seems a little
unnecessary, in my opinion. I hope that delineating 'discussion' from
'notification' might help.

This list is for 'security discussion', not 'security notification'. Also
Simple. Posting, positing, and discussing known or potential vulnerabilities
here is perfectly within bounds.

Attacking individuals in any online format is almost certainly bound to create
a flame-war, and doesn't help the quality or signal to noise ratio of the
'discussion'.

If you want *notification* to monitor the security of Gentoo, monitor
Bugzilla's 'security' component. Simple. There, the answer is in the open.

The GLSA's and the 'security' component in Bugzilla provide 'full coverage'
and a highly configurable *notification* interface, so I don't see any need
to extend yet another *notification* interface by cluttering this
*discussion* list.

The original post of the vulnerability that spawned this thread was likewise a
good deed, and we should encourage people to post things that they think the
list or the broader community should be aware of. Good Job, Keep it up.

Discussing ways of closing a vulnerability is clearly 'in scope' for the
purpose of this list, as the broader community may have ideas. Good Job,
Keep it up. I've gotten good ideas from this list in general, and from
specific inquiries I've made in the past on this list. Posting a link to the
bug was also a great 'full disclosure' response. Good Job, Keep it up.

Regards,

- Brian

--
gentoo-security@gentoo.org mailing list

On 9 Jan 2005, at 14:32, Brian G. Peterson wrote:
<snip>

I would put my ACK under everything said. Well done, Brian.

Regards,
Philipp Kern


--
gentoo-security@gentoo.org mailing list

I am another user who was under the impression that security problems
would be posted to this list when found, rather than after they are
fixed. Oh well.

Someone mentioned a yahoo groups list for bug announcements (rather
than fixes) could we get details of that placed on the page:

http://www.gentoo.org/main/en/lists.xml

And given that a sample of people on this list, me included, seem to
have misunderstood the list details, maybe an update is in order.



Peter Simons writes:
|
| > Given that infra apparently feels the same way, the
| > fastest solution for your personal needs might be for you
| > to sign up a Yahoo! group that is subscribed to security
| > bugs on Bugzilla.
|
| I sure could set up all kind of mailing lists and forward
| all kinds of stuff to it for my personal pleasure, but that
| doesn't really improve the utilization of _this_ list, does
| it?

I think there has been an indication that a number of people are
interested in such a list. Maybe if bugzilla is upto it it could be a
worthy list where ONLY bugzilla can post, creating a little more
signal. ;)

Maybe rather than another round of 'discussion' about people
we should discuss the creation of:

gentoo-security-discussion@
gentoo-security-announce@
gentoo-security-resolved@

or atleast this new list that it seems a few people would be
interested in.


Ill leave:

gentoo-security-namecalling@

for later :) <-- Note ':)'

--
/ `Rev Dr' cam at darkqueen.org Roleplaying, virtual goth \
< http://darkqueen.org Poly, *nix, Python, C/C++, genetics, ATM >
\ [+61 3] 9809 1523[h] skeptic, Evil GM(tm). Sysadmin for hire /
---------- Random Quote ----------
Q: How many mathematicians does it take to screw in a lightbulb?
A: One. He gives it to six Californians, thereby reducing the problem
to the earlier joke.

--
gentoo-security@gentoo.org mailing list

Brian G. Peterson wrote:

> This list is for 'security discussion', not 'security notification'. Also
> Simple. Posting, positing, and discussing known or potential vulnerabilities
> here is perfectly within bounds.
> [...]
> If you want *notification* to monitor the security of Gentoo, monitor
> Bugzilla's 'security' component. Simple. There, the answer is in the open.

Thanks for summing it up, Brian.

I'll try to address the concerns raised by this thread, which is mostly
about users information. Some of you feel that they are not correctly
informed about security issues. We follow a policy that was presented
here on this ML for comments about 6 months ago, and noone made a single
comment about it. Some of you have now have issues with it, I'll try to
answer to them.

1/ Major security issues (like the recent local root) should be posted
on this ML because gentoo-security subscribers deserve to know

Why not. You can post it here if you want. But what we really need is
that people post it in Bugzilla, because it's our workflow tool. Posting
it here will raise awareness, but it won't speed up resolution. That was
the idea of the first answers (Mike Frysinger, although not a member of
the security team, is not a very subtle guy and goes straight to the point).

2/ Gentoo has the duty of informing us of vulnerabilities when they are
known, not when they are fixed.

Look around and you will find that Gentoo has the most open security
resolution process of ALL Linux distributions. Security bugs are in
public bugzilla, we discuss those bugs in a public IRC channel
(#gentoo-security). The information is out there, but you want the
Gentoo Security Team to push it to you. Sorry, we won't do that. We are
completely overloaded already by just trying to handle all those
vulnerabilities and publish Security Advisories when they are fixed. The
GLSA Coordinators team is just 4 guys with day jobs, and we still manage
to do as much (and sometimes better) than commercial distributions with
full-staffed security teams. No distribution does what you're asking
for. Even if you pay RedHat for it, they still won't push information to
you about still unfixed vulnerabilities. Furthermore, information IS out
there. Go pick it up...

3/ Information on kernel vulnerabilities is not good

Every time this particular flamewar explodes on this list, it's about a
kernel vulnerability. I didn't see (yet) one about a root exploit in
mit-krb5 or any other package, which as MUCH MORE impact than a barelay
exploitable local root. There is a reason for that. Kernel
vulnerabilities take longer to fix (for all sources) and GLSAs about
kernel vulnerabilities are always overdue. Our organisation and the
rules we follow are good for packages but not for kernels. We are
working on improving that. We feel you should be better informed about
kernel vulnerabilities, as soon as they are detected and as soon as a
particular sources set is fixed, to be able to know when to upgrade
kernels and planify everything. We'll stop issuing GLSAs about kernel
issues and replace them by a kernel security information webpage. This
is a project under way and you should see progress about it very soon.

4/ The Gentoo developers are a bunch of lazy asses that can't suffer
constructive comments and want to keep everything for themselves

I am fed up with this crap. As an operational manager for the Security
Team, I spend most of my free time wrangling security bugs, pushing the
other developers to provide fixed packages, drafting GLSAs, sending
them, scouting multiple security mailing-lists so that YOU, the user,
can be protected. You may think we are a closed group which does funny
stuff and keep you away from it. Hear this : this job is not funny. I
would like there to be more people in the security team so that I can
handle more of the things I like in Gentoo (like embedded). But I can't.
I asked for help here a few times but nobody steps up. When they do,
they quickly realize this work is NOT fun and they disappear. If
sometime in the future there isn't anyone watching, fixing and
publishing security advisories in Gentoo, maybe you'll look back at this
this kind of thread and see the reason.

I will reiterate my call for help here. We need dedicated people, which
will spend a few hours per day handling security bugs (yes, the "Full of
Shit" Bugzilla has to be sorted out). You won't be paid, except by acid
remarks on this ML telling you should do more. Candidates ?

http://www.gentoo.org/proj/en/security/
http://www.gentoo.org/security/en/padawans.xml

--
Thierry Carrez (Koon)
Operational Manager, Gentoo Linux Security

On Sat, 8 Jan 2005 19:35:57 -0500 (EST)
Kris <kris@theendless.org> wrote:

> I honestly don't think it would require that much effort to post brief
> security related announcements.

And besides that it doesn't even have to be done by Gentoo devs. ;)

> Ok, maybe I misunderstand the purpose of this list? It is a security
> list, and a major security hole was discovered, that affects the
> gentoo kernel sources, to which I have good faith are being worked on,
> but we have not been formally informed?

Somebody posted info about the vulnerability to this list. After this
you can look for the relevant bug in Bugzilla and add yourself to CC if
you're interested [1]. When there is a solution, a GLSA [2] wil be
issued.

IMHO this process doesn't sound like to much trouble and should be
transparent enough.

[1] http://bugs.gentoo.org/show_bug.cgi?id=77025

[2] Please don't aks me why GLSAs aren't cross-posted to -security as
well, this was decided before I've joined the team.

--
Michael Kohl <citizen428@gentoo.org>

GnuPG key: 0x90CA09E3/4D21 916E DBCE 72B8 CDC5 BD87 DE2D 91A2 90CA 09E3

--
gentoo-security@gentoo.org mailing list

Michael Kohl wrote:

>>I honestly don't think it would require that much effort to post brief
>>security related announcements.
>
> And besides that it doesn't even have to be done by Gentoo devs. ;)

Just before I joined the security team there was someone that said he
would do that. He called them "GLVP" (for Gentoo Linux Pending
Vulnerabilities). He said he would post to gentoo-security each
Saturday. Guess what ? He posted one and never posted again. Proof for
the paranoid types out there :

http://marc.theaimsgroup.com/?l=gentoo-security&w=2&r=1&s=GLVP&q=b

Guess history keeps repeating itself. It's not that easy to regularly
commit free time to do work. It's easy to complain, it's not that easy
to be part of the solution.

--
Koon
Operational Manager, Gentoo Linux Security

On Sun, 9 Jan 2005, Thierry Carrez wrote:

> Just before I joined the security team there was someone that said he
> would do that. He called them "GLVP" (for Gentoo Linux Pending
> Vulnerabilities). He said he would post to gentoo-security each
> Saturday. Guess what ? He posted one and never posted again. Proof for
> the paranoid types out there :
>
> http://marc.theaimsgroup.com/?l=gentoo-security&w=2&r=1&s=GLVP&q=b
>
> Guess history keeps repeating itself. It's not that easy to regularly
> commit free time to do work. It's easy to complain, it's not that easy
> to be part of the solution.

Ok, sorry for the "noob" remark/question here but can't this be automated
somehow? Like if someone files a security-related bug on bugs.gentoo.org
this could auto-dispatch an email to a relevant list... This way one would
not be dependent upon "manual labour" (for this particular task anyway).
Automate what can be automated I'd say[0]. :-)

Best regards

Peter K

[0] If only there was a way to automate bug-hunting... ;-)

--
We Can Put an End to Word Attachments:
http://www.fsf.org/philosophy/no-word-attachments.html

--
gentoo-security@gentoo.org mailing list

I've read that on kernel trap, heres the url.

http://kerneltrap.org/node/4503

sorry for the late reply, I'm studying for my semester exams :)

regards,

On Sun, 9 Jan 2005 01:21:26 +0100, Philipp Kern <phil@philkern.de> wrote:
> On 8 Jan 2005, at 22:54, Miguel Filipe wrote:
> > I was about to send a email, asking if anyone knew a patch for
> > linux2.6.10 since both marcelo tossati and alan cox fixes were not
> > "approved" by linus torvalds.
>
> Perhaps you should have send us the link to the LKML entry where the
> patches were denied by Linus.
>
> Regards,
> Philipp Kern
>
>
>


--
Miguel Sousa Filipe

--
gentoo-security@gentoo.org mailing list

On Sat, 2005-01-08 at 00:21, Miguel Filipe wrote:
> Hi all,
>
> Just to let you ppl know that there is a local root exploit for linux
> 2.4.x and linux 2.6.x..
>
> full info:
> http://isec.pl/vulnerabilities/isec-0021-uselib.txt

In keeping on topic with your orig posting.

We have a bug open for this one, it can be found here.
http://bugs.gentoo.org/show_bug.cgi?id=77025

Note: the same patch does not work for PaX and vanilla users.

> Its kind of strange that this kind of information pops up on slashdot
> but doesn't appear in the gentoo-security ML.

Not so stange really, but thank you for passing the info along.

> greets to all!

salutes


--
Ned Ludd <solar@gentoo.org>
Gentoo (hardened,security,infrastructure,embedded) Developer

On Sunday 09 January 2005 01:36 pm, Peter Karlsson wrote:
> Ok, sorry for the "noob" remark/question here but can't this be automated
> somehow? Like if someone files a security-related bug on bugs.gentoo.org
> this could auto-dispatch an email to a relevant list... This way one would
> not be dependent upon "manual labour" (for this particular task anyway).
> Automate what can be automated I'd say[0]. :-)

The solution to this has already been discussed. This is a discussion list,
not a notification list. If you want notification, set up a watch that meets
your requirements on Bugzilla. Bugzilla will email you, and those who want a
discussion list without extra notifications can still have one.

Regards,

- Brian

--
gentoo-security@gentoo.org mailing list