14:01:36 #startmeeting Security Team Meeting - Agenda: https://fedoraproject.org/wiki/Security_Team_meetings 14:01:37 Meeting started Thu Dec 11 14:01:36 2014 UTC. The chair is Sparks. Information about MeetBot at http://wiki.debian.org/MeetBot. 14:01:37 Useful Commands: #action #agreed #halp #info #idea #link #topic. 14:01:40 #meetingname Fedora Security Team 14:01:40 The meeting name has been set to 'fedora_security_team' 14:01:44 #topic Roll Call 14:01:45 * Sparks 14:01:57 .fas bvincent 14:01:57 bvincent: bvincent 'Brandon Vincent' 14:02:10 .fas jtaylor 14:02:11 jtaylor90: jtaylor0175 'Jeffrey Scott Taylor' - jraytay 'Jason Taylor' - jtaylor 'Jason Taylor' 14:02:34 well then 14:06:55 .fas mhayden 14:06:56 mhayden: mhayden 'Major Hayden' 14:07:16 #info Participants are reminded to make liberal use of #info #link #help in order to make the minutes "more better" 14:07:23 here 14:07:23 #topic Outstanding BZ Tickets 14:07:32 #info Wednesday's numbers: Critical 1, Important 51, Moderate 378, Low 151, Total 581, Trend -46 14:07:37 #info Current tickets owned: 200 (~34%) 14:07:38 #info Tickets closed: 189 14:08:02 Anyone have anything they want to discuss ticket-wise? 14:08:25 I do, BZ #765664 14:09:09 #link https://bugzilla.redhat.com/show_bug.cgi?id=765664 14:09:20 Go ahead 14:09:22 I have emailed Erik of the MinGW SIG directly and emailed the MinGW distro about this back in October, pjp pinged about this too 14:09:27 and we have heard nothing back 14:09:51 it's seems odd to start a unresponsive maintainers on a whole SIG 14:09:54 so I am unsure how to proceed with this one 14:10:30 Is the vulnerable version actually in rawhide? Seems like it might have been updated since F16. 14:11:02 From what I can tell they are building against the vulnerable source for the affected package 14:11:14 but it would be nice if they said one way or the other 14:11:22 they being someone from the SIG 14:11:32 I also have a mingw related bug for openssl that points to Eric 14:11:51 https://bugzilla.redhat.com/show_bug.cgi?id=1152851 14:11:58 * Sparks thinks this all sounds quite familiar. 14:12:23 jtaylor90: Have you sent any messages to the SIG mailing list? 14:12:27 I did 14:12:33 And nothing. 14:12:55 Sparks: rawhide is still vulnerable. 14:12:55 Oct. 23rd I sent it and correct, no response. at all. lol 14:13:17 jtaylor90: Maybe try devel@ ? 14:13:46 I can do that for sure 14:15:01 I guess you can do a non-responsive maintainer against the entire SIG. 14:15:21 Looks like JasPer isn't really maintained upstream. 14:15:36 bvincent: that was my impression as well 14:16:09 The vulnerable code is described quite well by US-CERT. 14:16:11 #link http://www.kb.cert.org/vuls/id/887409 14:18:03 Anything else? 14:18:08 that's it for me 14:18:18 jtaylor90: Have you looked at the Debian patch? 14:18:32 bvincent: I did not...I will though 14:18:49 jtaylor90: Let me know if you find anyeone responsive, would like to get the mginw-openssl poodle patched as well 14:19:00 d-caf: will do 14:22:08 #topic Open floor discussion/questions/comments 14:22:17 Does anyone have anything they'd like to discuss? 14:23:08 How do we treat Fedora 19 tickets now? 14:23:27 I know there is 1 month of official support left 14:23:31 d-caf: Those tickets will close when we officially stop supporting them. 14:23:45 So keep running them down as best as possible 14:25:53 d-caf: Sure, until we stop supporting them. 14:26:40 No problem, I wasn't sure if there was a priority change, most of mine are rapped up in fedora-all tickets anyways 14:27:17 Same here. 14:27:34 ya 14:28:14 Okay, anyone else? 14:29:35 If not, I guess we can get out of here a little early and get back to work. 14:33:33 Hearing no objections... Everyone have a good day! 14:33:36 #endmeeting