19:21:20 #startmeeting Security Team Meeting - Agenda: https://fedoraproject.org/wiki/Security_Team_meetings 19:21:20 Meeting started Wed Aug 27 19:21:20 2014 UTC. The chair is Sparks. Information about MeetBot at http://wiki.debian.org/MeetBot. 19:21:20 Useful Commands: #action #agreed #halp #info #idea #link #topic. 19:21:23 #meetingname Fedora Security Team 19:21:23 The meeting name has been set to 'fedora_security_team' 19:21:24 #topic Roll Call 19:22:03 * Sparks 19:22:14 * Sparks spies bvincent and jtaylor90 19:22:24 .fas bvincent 19:22:25 bvincent: bvincent 'Brandon Vincent' 19:22:40 .hellomynameis jsmith 19:22:41 jsmith: jsmith 'Jared Smith' 19:24:16 * Sparks apologizes for being tardy 19:24:21 Okay, we'll get started. 19:24:44 #topic Security-Team FAS Group and Editing BZ tickets 19:25:46 Some members were saying that they couldn't edit BZ tickets while others could. A FAS group was created and permissions extended to that group so this should no longer be a problem. 19:26:19 #info All FST members should apply to the security-team group in FAS. 19:26:50 #info Members should use the email address used in FAS for their account in BZ. 19:26:53 Any questions? 19:27:58 #topic Outstanding BZ Tickets 19:28:01 #topic Outstanding BZ Tickets 19:29:19 #info Wednesday's numbers: Critical 2, Important 62, Moderate 398, Low 130, Total 592, Trend +17 19:30:44 #info Current tickets owned: 155 19:30:55 sounds great 19:31:14 #info Closed tickets: 33 19:31:23 So, not bad. 19:31:50 OpenStack will be removed from EPEL. That should clear out a lot of stagnant reports. 19:32:08 I know I'm having some difficulties in getting some cases closed. My largest problem is going to be the orphaned packages. We'll see what releng ends up doing with them. 19:32:40 bvincent: Wow, no more OS in EPEL? 19:32:52 maybe saying "this one has a CVE and is orphaned, so we should fast track the removal" ? 19:32:56 #link https://fedorahosted.org/rel-eng/ticket/5966 19:33:34 Garth wants to redirect users to RDO. 19:33:50 #link http://openstack.redhat.com 19:34:38 misc: Well, we did that but got some bad feedback on libmodplug. 19:35:04 misc: Hopefully someone will actually maintain it. Orphaned packages with vulnerabilities aren't a good thing. 19:35:07 What should we do about issues that the packager has not responded to emails? 19:35:26 The broken encryption issue in Synergy is in the Fedora 19 and EPEL packages. 19:35:34 bvincent: We can start the unresponsive packager protocol. 19:35:53 Sparks: Is their a link to this procedure? 19:36:03 *there 19:36:43 bvincent: There is but I'm not finding it at the moment. 19:37:16 Sparks: If it could be placed on the wiki, that would be great. 19:37:53 #link https://fedoraproject.org/wiki/Policy_for_nonresponsive_package_maintainers 19:38:03 Sparks: Excellent. Thanks! 19:38:11 +1 Sparks 19:38:19 bvincent: We can also get a proven packager to assist (like jsmith). 19:38:48 * jsmith is happy to assist 19:39:01 jsmith: Can you fix everything by lunch tomorrow? 19:39:20 Sparks: Nope... but I'm sure I could get around to *something* by then 19:39:52 heh 19:40:15 Anyone have any tickets they'd like to discuss? 19:40:50 Not anything in particular from me -- though it might be interesting to see if there are any critical unassigned bugs that could be assigned 19:41:27 jsmith: I'm working the only two critical bugs (for the same package) 19:41:37 I don't have really serious problems, only owncloud with one CVE about admin bypass without details but we ask upstream for details 19:41:41 all is going fine for me 19:41:43 jsmith: I've not been getting any information from upstream or down. 19:41:57 Sparks: OK, let me know if I can help in any way... 19:41:59 all/everything 19:43:13 jsmith: Know anything about ruby-gems? 19:44:08 jsmith: Specifically rubygems-activesupport 19:44:51 Sparks: I think huzaifas is working with glibc 19:45:14 revskills: Yes, he's owning that right now and paying for it too. :) 19:45:14 do you have more info about this? because the exploit from Tavis Ormandy was directly for f20 19:45:35 ok good to know 19:45:36 :) 19:45:51 revskills: Sorry, I don't. 19:47:02 Sparks: No, but I'm willing to learn 19:47:58 #topic Open Floor 19:48:06 Anyone have anything they want to talk? 19:48:20 Sparks: Mind re-posting the links to the outstanding BZ items? 19:48:31 Sparks: For folks who might not already have them bookmarked? 19:48:41 * jsmith has nothing further 19:49:37 jsmith: The links are available on the wiki page. 19:49:45 #link https://fedoraproject.org/wiki/Security_Team 19:50:34 And for those playing at home: 19:50:40 #link https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2661454&priority=urgent&query_format=advanced 19:50:49 #link https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2661457&priority=high&query_format=advanced 19:50:59 #link https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2661461&priority=medium&query_format=advanced 19:51:06 #link https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2661462&priority=low&query_format=advanced 19:51:55 Those are links for critical, important, moderate, and low vulnerabilities, respectfully. 19:52:53 Okay, anything else? 19:54:29 * jsmith has nothing 19:54:41 Okay, I'm closing the meeting, then. Thanks for everyone coming today. 19:54:48 #endmeeting