From: Steve Long <slong@rathaus.eclipse.co.uk>
To: gentoo-project@lists.gentoo.org
Subject: [gentoo-project] Re: gentoo security and packages.gentoo.org
Date: Mon, 24 Sep 2007 14:08:49 +0100 [thread overview]
Message-ID: <fd8clm$eth$1@sea.gmane.org> (raw)
In-Reply-To: 200709232052.55608.arturo.g.arturo@gmail.com
Arturo Garcia wrote:
> The thing is that I haven't been able to contact him, nor anyone from
> gentoo-security for over a week (I have written to security@gentoo.org and
> the M-L). We are in a deadlock situation at the moment because infra has
> requested them to check the site (they have provided taviso with details
> and a live setup), and unless it is checked it won't be put live.
>
According to: http://www.gentoo.org/proj/en/devrel/roll-call/devaway.xml
taviso has "sporadic internet access for a while." As such you're unlikely
to find him on IRC, and his response to mailing-lists and the like is
probably not going to be the best. Given that he's probably starting
college or University as well, I doubt that he has much time to spare.
>From the bug:
> My first impression: absolutely necessary to rework the whole service.
> There are INSERT statements which do not refer to column names but to the
> sequence columns were created (INSERT INTO table Values(...)). The CREATE
> TABLE scripts miss columns (is_masked and prevarch) and primary keys as
> well as joins are (based on) VARCHARs. I'll write a sort of report and
> host it somewhere on the mirror (including patch impact analysis) so maybe
> the code maintainer has a point to start from.
>
This is now all transparent public knowledge. As such no security team worth
their salt are going to leave these holes open. Remember that all the code
mentioned above has been freely available for several years.
If you have the comprehensive report mentioned, please post it to the bug. A
patch to implement the fixes you found, would make the _audit_ process even
quicker.
--
gentoo-project@gentoo.org mailing list
next prev parent reply other threads:[~2007-09-24 13:13 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-09-23 18:52 [gentoo-project] gentoo security and packages.gentoo.org Arturo Garcia
2007-09-24 13:08 ` Steve Long [this message]
2007-09-24 13:31 ` [gentoo-project] " Arturo Garcia
2007-09-27 15:40 ` [gentoo-project] " Steve Long
2007-09-28 7:02 ` [gentoo-project] " Arturo Garcia
2007-09-30 7:22 ` [gentoo-project] " Steve Long
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='fd8clm$eth$1@sea.gmane.org' \
--to=slong@rathaus.eclipse.co.uk \
--cc=gentoo-project@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox