* [gentoo-user] Sparse security announcements
@ 2016-09-10 23:11 Ian Zimmerman
2016-09-10 23:47 ` Michael Orlitzky
2016-09-10 23:48 ` [gentoo-user] " Rich Freeman
0 siblings, 2 replies; 7+ messages in thread
From: Ian Zimmerman @ 2016-09-10 23:11 UTC (permalink / raw
To: gentoo-user
There has not been a GLSA, according to the gentoo.org front page, since
August 1 [1]. In the meantime, Debian has had [2] [3] and [4] among
others. Is it really the case that the Gentoo builds aren't affected by
any of these?
[1]
https://security.gentoo.org/glsa/201608-01
[2]
https://www.debian.org/security/2016/dsa-3652
[3]
https://www.debian.org/security/2016/dsa-3653
[4]
https://www.debian.org/security/2016/dsa-3655
--
Please *no* private Cc: on mailing lists and newsgroups
Why does the arrow on Hillary signs point to the right?
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [gentoo-user] Sparse security announcements
2016-09-10 23:11 [gentoo-user] Sparse security announcements Ian Zimmerman
@ 2016-09-10 23:47 ` Michael Orlitzky
2016-09-11 4:48 ` [gentoo-user] " Ian Zimmerman
2016-09-10 23:48 ` [gentoo-user] " Rich Freeman
1 sibling, 1 reply; 7+ messages in thread
From: Michael Orlitzky @ 2016-09-10 23:47 UTC (permalink / raw
To: gentoo-user
On 09/10/2016 07:11 PM, Ian Zimmerman wrote:
> [2] https://www.debian.org/security/2016/dsa-3652
Beats me, I don't see it in bugzilla... maybe none of those affect our
newer 6.9.x.y versions? (I didn't dig into the vulnerabilities.)
> [3] https://www.debian.org/security/2016/dsa-3653
You only get a GLSA after an issue has been fixed and stabilized on all
architectures. And after that, someone actually has to write the GLSA,
so they can appear long after the vulnerability is found or even fixed.
This one hasn't been fixed yet:
https://bugs.gentoo.org/show_bug.cgi?id=CVE-2016-6354
> [4] https://www.debian.org/security/2016/dsa-3655
Same here:
https://bugs.gentoo.org/show_bug.cgi?id=CVE-2016-6265
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [gentoo-user] Sparse security announcements
2016-09-10 23:11 [gentoo-user] Sparse security announcements Ian Zimmerman
2016-09-10 23:47 ` Michael Orlitzky
@ 2016-09-10 23:48 ` Rich Freeman
1 sibling, 0 replies; 7+ messages in thread
From: Rich Freeman @ 2016-09-10 23:48 UTC (permalink / raw
To: gentoo-user
On Sat, Sep 10, 2016 at 7:11 PM, Ian Zimmerman <itz@primate.net> wrote:
> There has not been a GLSA, according to the gentoo.org front page, since
> August 1 [1]. In the meantime, Debian has had [2] [3] and [4] among
> others. Is it really the case that the Gentoo builds aren't affected by
> any of these?
>
Gentoo GLSAs are not announced until the last arch stabilizes the
change and then a security team member generates the notice. This is
usually long after amd64/x86 do so. If you wait for a GLSA
announcement before doing an update, or only do updates using the
glsa-check tool you're going to be vulnerable for a LONG time.
--
Rich
^ permalink raw reply [flat|nested] 7+ messages in thread
* [gentoo-user] Re: Sparse security announcements
2016-09-10 23:47 ` Michael Orlitzky
@ 2016-09-11 4:48 ` Ian Zimmerman
2016-09-11 15:02 ` Michael Orlitzky
0 siblings, 1 reply; 7+ messages in thread
From: Ian Zimmerman @ 2016-09-11 4:48 UTC (permalink / raw
To: gentoo-user
On 2016-09-10 19:47, Michael Orlitzky wrote:
> > [2] https://www.debian.org/security/2016/dsa-3652
>
> Beats me, I don't see it in bugzilla... maybe none of those affect our
> newer 6.9.x.y versions? (I didn't dig into the vulnerabilities.)
I did (now). Most are indeed fixed in 6.9.4, but a few (2 or 3 out of
the 10 or so) only in 7.x. Should a bug be filed?
--
Please *no* private Cc: on mailing lists and newsgroups
Why does the arrow on Hillary signs point to the right?
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [gentoo-user] Re: Sparse security announcements
2016-09-11 4:48 ` [gentoo-user] " Ian Zimmerman
@ 2016-09-11 15:02 ` Michael Orlitzky
2016-09-12 3:43 ` Ian Zimmerman
0 siblings, 1 reply; 7+ messages in thread
From: Michael Orlitzky @ 2016-09-11 15:02 UTC (permalink / raw
To: gentoo-user
On 09/11/2016 12:48 AM, Ian Zimmerman wrote:
>
> I did (now). Most are indeed fixed in 6.9.4, but a few (2 or 3 out of
> the 10 or so) only in 7.x. Should a bug be filed?
>
Sure, if for some reason our imagemagick isn't affected, it only takes a
second to mark the bug invalid. Better to play it safe.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [gentoo-user] Re: Sparse security announcements
2016-09-11 15:02 ` Michael Orlitzky
@ 2016-09-12 3:43 ` Ian Zimmerman
2016-09-12 5:19 ` Jonathan Callen
0 siblings, 1 reply; 7+ messages in thread
From: Ian Zimmerman @ 2016-09-12 3:43 UTC (permalink / raw
To: gentoo-user
On 2016-09-11 11:02, Michael Orlitzky wrote:
> > Most are indeed fixed in 6.9.4, but a few (2 or 3 out of
> > the 10 or so) only in 7.x. Should a bug be filed?
> >
>
> Sure, if for some reason our imagemagick isn't affected, it only takes a
> second to mark the bug invalid. Better to play it safe.
Done:
https://bugs.gentoo.org/show_bug.cgi?id=593526
https://bugs.gentoo.org/show_bug.cgi?id=593528
https://bugs.gentoo.org/show_bug.cgi?id=593530
https://bugs.gentoo.org/show_bug.cgi?id=593532
(Hmm. Are only even numbers assigned as Bug IDs?)
--
Please *no* private Cc: on mailing lists and newsgroups
Why does the arrow on Hillary signs point to the right?
^ permalink raw reply [flat|nested] 7+ messages in thread
* [gentoo-user] Re: Sparse security announcements
2016-09-12 3:43 ` Ian Zimmerman
@ 2016-09-12 5:19 ` Jonathan Callen
0 siblings, 0 replies; 7+ messages in thread
From: Jonathan Callen @ 2016-09-12 5:19 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1.1: Type: text/plain, Size: 1115 bytes --]
On 09/11/2016 11:43 PM, Ian Zimmerman wrote:
> On 2016-09-11 11:02, Michael Orlitzky wrote:
>
>>> Most are indeed fixed in 6.9.4, but a few (2 or 3 out of
>>> the 10 or so) only in 7.x. Should a bug be filed?
>>>
>>
>> Sure, if for some reason our imagemagick isn't affected, it only takes a
>> second to mark the bug invalid. Better to play it safe.
>
> Done:
> https://bugs.gentoo.org/show_bug.cgi?id=593526
> https://bugs.gentoo.org/show_bug.cgi?id=593528
> https://bugs.gentoo.org/show_bug.cgi?id=593530
> https://bugs.gentoo.org/show_bug.cgi?id=593532
>
> (Hmm. Are only even numbers assigned as Bug IDs?)
>
At one point, there were two bugzilla servers that synchronized bugs
between each other. If you got one of the servers, all new bugs would
be even. If you got the other, all new bugs would be odd. This was to
avoid having to check with the other server every time a new bug was
created (to ensure that a duplicate number was not assigned). I don't
know if this is still the case, or just a configuration remnant from
when it was an issue.
--
Jonathan Callen
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 829 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2016-09-12 5:19 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-09-10 23:11 [gentoo-user] Sparse security announcements Ian Zimmerman
2016-09-10 23:47 ` Michael Orlitzky
2016-09-11 4:48 ` [gentoo-user] " Ian Zimmerman
2016-09-11 15:02 ` Michael Orlitzky
2016-09-12 3:43 ` Ian Zimmerman
2016-09-12 5:19 ` Jonathan Callen
2016-09-10 23:48 ` [gentoo-user] " Rich Freeman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox