Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <ZqAWEWkm6Y5LMGli@michel-fedora-PC198L6J>
Date: Tue, 23 Jul 2024 15:44:01 -0500
From: Michel Lind <michel@...hel-slm.name>
To: oss-security@...ts.openwall.com
Subject: Re: linux-distros application for CentOS Project's
 Hyperscale SIG

Hi Alexander,

On Tue, Jul 23, 2024 at 09:23:10PM +0200, Solar Designer wrote:
> Hi,
> 
> I've finally reviewed the links and re-read the thread.  Looks like
> we're OK to proceed with adding CentOS Project's Hyperscale SIG as a
> linux-distros member.
> 
> Michel, please e-mail me off-list with PGP keys for all of you who need
> to be subscribed for Hyperscale.  I also need to know who will be
> managing this subscription on your end (informing me of any changes in
> who's to stay subscribed).
>
Thank you! I'll email once I have collected all the keys.

> On Wed, Jul 10, 2024 at 06:54:13PM -0500, Michel Lind wrote:
> > All three of us are Fedora developers - but AIUI, we will not and can not use
> > membership here to contribute Fedora patches - until the embargo is
> > over.
> > 
> > For Hyperscale itself we plan to use the head start to have local builds
> > ready to go, and commit and do a public build as soon as the embargo is
> > over; if it needs collaboration we can use private Git repos and E2EE
> > private chats to discuss the fix among ourselves.
> > 
> > This is, to the best of my knowledge, similar to how AlmaLinux handles
> > embargoed security issues - the fix is ready to go but is only made
> > available once the embargo is lifted.
> > 
> > Now - wearing our Fedora hats, we certainly would try and help get this
> > fixed in Fedora once the embargo is over (as we've done before) - and
> > knowing a CVE is going to be made public would certainly help (e.g.
> > trying to make sure one of us is around) - but we won't be participating
> > in the list wearing our Fedora hat, or discuss embargoed issues with
> > people not on the list.
> 
> This understanding is correct.  The membership and embargoed info is
> only for the specific distro "except with the reporter's explicit
> approval".  This exception means that you may occasionally ask whoever
> reported the issue to linux-distros for permission to use the
> information e.g. also for preparing a fix for Fedora even though you're
> subscribed for Hyperscale.  To avoid miscoordination, please keep such
> requests also CC'ed to the list.  Uses of this exception have been very
> rare so far, and it is expected that you wouldn't use it often, or else
> it'd make more sense to discuss the additional distro becoming a member.
>
Thanks. Good to know this exception exists, but I'm hoping to prod
Fedora to onboard itself as a member anyway.

> FWIW, Fedora's fix for CVE-2024-6387 was quite timely as-is:
> 
> commit dcbca7b947cf82c30d6f477a26efd2f765204fe6
> Author:     Gordon Messmer <gordon.messmer@...il.com>
> AuthorDate: Mon Jul 1 20:49:16 2024 -0700
> Commit:     Gordon Messmer <gordon.messmer@...il.com>
> CommitDate: Tue Jul 2 00:48:16 2024 -0700
> 
>     Patch 9.6p1 for CVE-2024-6387
> 
> * Mon Jul 01 2024 Gordon Messmer <gordon.messmer@...il.com> - 9.6p1-12
> - Patch 9.6p1 for CVE-2024-6387
> 
> On one hand, this confirms that Fedora cares.  On the other, for an
> issue with a trivial patch, I don't know if Fedora could have done much
> or anything more to prepare.
> 
It was timely .. but there was some scramble in Fedora's security room
the morning the embargo was lifted. It turns out the development Rawhide
branch was not in a buildable state at that moment - not a big deal, I
pointed out at the time that it's more important to fix the stable
releases - but with access to the embargo, someone could have fixed the
Rawhide build in preparation I suppose.

> OpenSSH 9.8 released on July 1 also fixed "Logic error in ssh(1)
> ObscureKeystrokeTiming", which became CVE-2024-39894 by July 3:
> 
> https://www.openwall.com/lists/oss-security/2024/07/03/6
> 
> Per upstream, this issue affects "9.5 through 9.7 (inclusive)", so I
> guess Fedora's package based on 9.6p1 is vulnerable.  There doesn't
> appear to be a fix in the package yet.  I see this is being tracked in:
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=2295615
> 
> which is assigned to Dmitry Belyavskiy, who is also the maintainer of
> the OpenSSH package in RHEL and CentOS Stream.  RHEL is not affected and
> the issue is low severity, so will probably take a long while to fix in
> Fedora via Red Hat.  Maybe something the community could do quicker?
> This is not directly related to possible linux-distros membership; this
> issue wasn't even on linux-distros.
>
Yeah - the CVE fixes were done by a non-maintainer anyway (Dmitry
understandably has his hands full with fixing RHEL and CentOS Stream).
This is tangential - but having a well-coordinated security team in
Fedora, that participates in this list and in linux-distros, would
likely help - e.g. by ensuring that the ACL of key packages like openssh
correlates to who often contributes to it, and by making sure issues
like these get addressed sooner rather than later.

-- 
 _o) Michel Lind
_( ) identities: https://keyoxide.org/5dce2e7e9c3b1cffd335c1d78b229d2f7ccc04f2

Download attachment "signature.asc" of type "application/pgp-signature" (229 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.