From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1IZnl8-0003wR-Rq for garchives@archives.gentoo.org; Mon, 24 Sep 2007 13:13:59 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.14.1/8.14.0) with SMTP id l8OD5ZpL027150; Mon, 24 Sep 2007 13:05:35 GMT Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by robin.gentoo.org (8.14.1/8.14.0) with ESMTP id l8OD5Ywf027145 for ; Mon, 24 Sep 2007 13:05:34 GMT Received: from localhost (localhost [127.0.0.1]) by smtp.gentoo.org (Postfix) with ESMTP id F1D886484C for ; Mon, 24 Sep 2007 13:05:33 +0000 (UTC) X-Virus-Scanned: amavisd-new at gentoo.org X-Spam-Score: 1.191 X-Spam-Level: * X-Spam-Status: No, score=1.191 required=5.5 tests=[AWL=-0.691, BAYES_40=-0.185, RCVD_NUMERIC_HELO=2.067] Received: from smtp.gentoo.org ([127.0.0.1]) by localhost (smtp.gentoo.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Vgn+BQ1uuFfR for ; Mon, 24 Sep 2007 13:05:27 +0000 (UTC) Received: from ciao.gmane.org (main.gmane.org [80.91.229.2]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTP id 26BDE64EFA for ; Mon, 24 Sep 2007 13:05:26 +0000 (UTC) Received: from list by ciao.gmane.org with local (Exim 4.43) id 1IZncf-0002K6-1Y for gentoo-project@gentoo.org; Mon, 24 Sep 2007 13:05:13 +0000 Received: from 82.153.68.0 ([82.153.68.0]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 24 Sep 2007 13:05:13 +0000 Received: from slong by 82.153.68.0 with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 24 Sep 2007 13:05:13 +0000 X-Injected-Via-Gmane: http://gmane.org/ To: gentoo-project@lists.gentoo.org From: Steve Long Subject: [gentoo-project] Re: gentoo security and packages.gentoo.org Date: Mon, 24 Sep 2007 14:08:49 +0100 Message-ID: References: <200709232052.55608.arturo.g.arturo@gmail.com> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Project discussion list X-BeenThere: gentoo-project@gentoo.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7Bit X-Complaints-To: usenet@sea.gmane.org X-Gmane-NNTP-Posting-Host: 82.153.68.0 User-Agent: KNode/0.10.4 Sender: news X-Archives-Salt: 143abfa7-c66e-4eb1-8277-23763827d009 X-Archives-Hash: 5b8a2d814ea7caca47e1596e3cf64e0f Arturo Garcia wrote: > The thing is that I haven't been able to contact him, nor anyone from > gentoo-security for over a week (I have written to security@gentoo.org and > the M-L). We are in a deadlock situation at the moment because infra has > requested them to check the site (they have provided taviso with details > and a live setup), and unless it is checked it won't be put live. > According to: http://www.gentoo.org/proj/en/devrel/roll-call/devaway.xml taviso has "sporadic internet access for a while." As such you're unlikely to find him on IRC, and his response to mailing-lists and the like is probably not going to be the best. Given that he's probably starting college or University as well, I doubt that he has much time to spare. >>From the bug: > My first impression: absolutely necessary to rework the whole service. > There are INSERT statements which do not refer to column names but to the > sequence columns were created (INSERT INTO table Values(...)). The CREATE > TABLE scripts miss columns (is_masked and prevarch) and primary keys as > well as joins are (based on) VARCHARs. I'll write a sort of report and > host it somewhere on the mirror (including patch impact analysis) so maybe > the code maintainer has a point to start from. > This is now all transparent public knowledge. As such no security team worth their salt are going to leave these holes open. Remember that all the code mentioned above has been freely available for several years. If you have the comprehensive report mentioned, please post it to the bug. A patch to implement the fixes you found, would make the _audit_ process even quicker. -- gentoo-project@gentoo.org mailing list