On Mon, Dec 20, 2004 at 01:57:36AM +0100, Javier Fern?ndez-Sanguino Pe?a wrote:
> I was thinking that it might be good to create a page in the
> audit webpages related to those security bugs that the security
> audit team have opened up. Since some of the work of the security
> team does not necesarily end up as DSAs, it might be a way to
> show off that the security audit team is also helping up doing
> Q&A of packages even before they get into the stable release.
That's a great idea.
> Attached is a sample including some of the insecure temporary
> file usage I have brought up to the security team and to package
> maintainers through bugs. I have sent some more of them today
> (that's why some are missing the bug number).
:)
> I actually told the security team of these bugs a long time ago
> (this summer) but I have not been able to open up bug reports and follow
> up on some of the issues until today. Notice that some of them
> don't actually merit a DSA, even though there have been a few
> DSAs recently (due to a Trustix audit) related to insecure temporary
> filename usage.
Yes some of them are more important than others, I do notice that
the security team FAQ suggests all such conditions can be fixed
without a DSA first - as they are 'trivial'.
You have commit access on the webpages I think, feel free to add
the page.
Would you imagine this page should include non-issues like #202681?
Steve
--
|
