Re: not to beat a dead horse

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

On Mon, 10 Mar 2008 12:20:08 -0600
Jake Edge <jake@xxxxxxx> wrote:

Feel free to keep beating... ;) This stuff needs to improve. :( 

> but I am trying to puzzle out the kronolith advisories.  They do not 
> include either a CVE reference or a bugzilla reference.  One contains 
> the changelog, one not.  And the description of the problem is as
> follows:
> Fix privilege escalation in Horde API.  Fix missing ownership
> validation on share changes.
> This is for FEDORA-2008-2221 and FEDORA-2008-2212.
> How am I (or anyone) supposed to figure out what's going on here?

Not easily. ;( 

Kronolith upstream seems pretty happy go lucky. They fixed these things
in their cvs with no upstream bugs filed. As far as I know they never
requested a CVE or anything like it. Their viewcvs setup makes it
pretty impossible to see what changed. They added other changes into
this release instead of just releasing just the security updates, etc. 

Manually pulling down the two releases and diffing them, got me the
changes, but messy. ;( 

So, what should we do in this case? 

It really is a security update... should we always file bugs and make sure they are updated with info? 

Should we file upstream bugs and ask them to explain the changes? 

Should we request a CVE and wait for that before pushing the update? 

Some guidelines here would be good... 

> jake


Attachment: signature.asc
Description: PGP signature

Fedora-security-list mailing list

[Home]     [Fedora Legacy List]     [Fedora Maintainers]     [Fedora Desktop]     [Red Hat 9 Bible]     [Fedora Bible]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Coolkey]     [Fedora Tools]

Powered by Linux