View previous topic :: View next topic |
Author |
Message |
CaptainBlood Advocate
Joined: 24 Jan 2010 Posts: 3638
|
Posted: Tue Feb 04, 2020 10:51 am Post subject: Gentoo has no forum for CVE corrective ebuilds [solved] |
|
|
While upgrading with a stabilized package dedicated to CVE solving, I realized there isn't any forum dedicated to such a subject.
The concerned package has been pulled because of stabilization.
It would have been nice if there had been a easy way to get aware of the CVE, at least as soon as an related unstable package has been released.
I may be wrong though, as there might be ressources I'm not aware of.
Any idea?
Thks 4 ur attention
Last edited by CaptainBlood on Wed Feb 05, 2020 10:39 am; edited 2 times in total |
|
Back to top |
|
|
fedeliallalinea Administrator
Joined: 08 Mar 2003 Posts: 30965 Location: here
|
|
Back to top |
|
|
CaptainBlood Advocate
Joined: 24 Jan 2010 Posts: 3638
|
Posted: Tue Feb 04, 2020 1:18 pm Post subject: |
|
|
Can't find 'dev-qt/qtcore/qtcore-5.12.3-CVE-2020-0570.patch' related topic.
Thks 4 ur attention, interest & support. |
|
Back to top |
|
|
pjp Administrator
Joined: 16 Apr 2002 Posts: 20067
|
Posted: Tue Feb 04, 2020 8:16 pm Post subject: Re: Gentoo forum has no forum for CVE corrective ebuilds |
|
|
CaptainBlood wrote: | While upgrading with a stabilized package dedicated to CVE solving, I realized there isn't any forum dedicated to such a subject. | CaptainBlood wrote: | Can't find 'dev-qt/qtcore/qtcore-5.12.3-CVE-2020-0570.patch' related topic. | It isn't clear what you are expecting.
The News & Announcements forum contains CVE information as does the Gentoo Linux Security Advisories (GLSA) web page, although neither have anything for 2020.
Questions about a specific issue related to a CVE would be appropriate in Portage & Programming or Networking & Security (perhaps elsewhere too). There would be no reasonable expectation of a discussion of a subject that no one started, so I don't understand what you mean by 'Can't find ... patch' related topic.
If you're referring to a topic such as in New & Announcements, then one was apparently not created before the patch was pulled. The next step would be to check gentoo.git. Searching there for qtcore may provide the information you want. Possibly this or one of the other results. _________________ Quis separabit? Quo animo? |
|
Back to top |
|
|
CaptainBlood Advocate
Joined: 24 Jan 2010 Posts: 3638
|
Posted: Tue Feb 04, 2020 9:48 pm Post subject: |
|
|
What I'm hoping for a place where all current CVE, at least the fixed ones a listed, so that I can keyword (mostling stable here) their packages and upgrade.
Being aware of current open CVE would be a bonus, may be pushing some users to publish a temporary fix.
The link fedeliallalinea provided points to Gentoo Linux Security Advisories (GLSA) which doesn't contain any thing about CVE-2020-0570, so it could not inform me I had a stable package requiring a keyworded fix. SOrry I've been elusive about the indirection.
I find the visibility is too low.
Maybe a CVE sub forum that would inform about all opened and recent fixed CVE could fit?
Please note that for the last decade I've been living quite happily without it.
Thks 4 ur attention, interest & support. |
|
Back to top |
|
|
pjp Administrator
Joined: 16 Apr 2002 Posts: 20067
|
Posted: Tue Feb 04, 2020 10:50 pm Post subject: |
|
|
The web page and the forum show ebuilds that have been fixed to address a given CVE. I believe both are updated automatically. Which means there are not any CVE items that have been fixed for 2020.
Regarding "open" but not yet fixed CVE issues, bugs.gentoo.org is probably the best if not only resource. For example, searching for "cve-2020" currently produces 23 results.
Since you are looking to use updates that are not considered stable, bugs seems to be the resource you'll want to use. _________________ Quis separabit? Quo animo? |
|
Back to top |
|
|
i4dnf Apprentice
Joined: 18 Sep 2005 Posts: 271 Location: Bucharest, Romania
|
Posted: Wed Feb 05, 2020 7:25 am Post subject: |
|
|
https://bugs.gentoo.org/707354
Took less than 30s to find: packages.g.o->gitweb->bug
You'll notice that the bug is IN_PROGRESS. Once stabilized it will most likely be part of a GLSA. _________________ "The only difference between me and a madman is that I am not MAD" (SALVATOR DALI) |
|
Back to top |
|
|
CaptainBlood Advocate
Joined: 24 Jan 2010 Posts: 3638
|
Posted: Wed Feb 05, 2020 10:38 am Post subject: |
|
|
The only thing I blame I that user has to be quite proactive to know whether a system is prone to CVE installed ebuilds that are rectifiable.
Thks to all you guys providing enough clues to combine with for a security flaws awareness,
Last edited by CaptainBlood on Thu Feb 06, 2020 7:04 am; edited 1 time in total |
|
Back to top |
|
|
pjp Administrator
Joined: 16 Apr 2002 Posts: 20067
|
Posted: Wed Feb 05, 2020 10:58 pm Post subject: |
|
|
glsa-check (provided by sys-apps/portage) attempts to help. Many years ago I believe there were some concerns with iit, but I don't recall the specifics. You may also look in the portage tree under metadata/glsa (xml files) to see if there is anything "new" to investigate. _________________ Quis separabit? Quo animo? |
|
Back to top |
|
|
charles17 Advocate
Joined: 02 Mar 2008 Posts: 3664
|
Posted: Thu Feb 06, 2020 8:56 am Post subject: |
|
|
pjp wrote: | Many years ago I believe there were some concerns with iit, but I don't recall the specifics. |
Do you think the situation has much improved since post 8080514? Getting to know about cve not earlier than two months after the fix? |
|
Back to top |
|
|
pjp Administrator
Joined: 16 Apr 2002 Posts: 20067
|
Posted: Fri Feb 07, 2020 12:57 am Post subject: |
|
|
As far as I can tell, that has nothing to do with glsa-check itself. The glsa references bug 611976. From that bug (some comments shortened for brevity): Quote: | 2017-04-26 01:30:36 UTC
Please finish X86 stabilization ...
2017-04-30 16:41:18 UTC
Arches and Maintainer(s), Thank you for your work.
Security would really appreciate when you are done with stabilization of cleaning, to just put a quick line in here that it is done. There are a lot of security bugs in play and managing them all takes a lot of time, especially if we have to check if they are stable, or cleaned.
www-client/firefox: marked stable for x86
...
2017-05-09 19:40:43 UTC
This issue was resolved and addressed in
GLSA 201705-06 at https://security.gentoo.org/glsa/201705-06
by GLSA coordinator Kristian Fiskerstrand (K_F). | Gentoo Vulnerability Treatment Policy explains that the process involves manual work, but you'd have to check with some developers to find out if there have been any process improvements as a result of that incident.
Also note that in the case of confidential vulnerabilities, you're not going to find out any earlier than they are allowed to announce them. So to some extent, you're at the mercy of the process.
Whenever I've noticed an issue I've been specifically concerned about, I've had it installed for a while. _________________ Quis separabit? Quo animo? |
|
Back to top |
|
|
|