#fedora-meeting log

14:03:02 <Sparks> #startmeeting Security Team Meeting - Agenda: https://fedoraproject.org/wiki/Security_Team_meetings
14:03:02 <zodbot> Meeting started Thu Jan  8 14:03:02 2015 UTC.  The chair is Sparks. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:03:02 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
14:03:05 <Sparks> #meetingname Fedora Security Team
14:03:05 <zodbot> The meeting name has been set to 'fedora_security_team'
14:03:08 <pjp> d-caf: Hi,
14:03:09 <Sparks> #topic Roll Call
14:03:15 * Sparks 
14:03:32 * pjp here
14:03:33 <d-caf> here
14:03:38 <bvincent> .fas bvincent
14:03:39 <zodbot> bvincent: bvincent 'Brandon Vincent' <Brandon.Vincent@asu.edu>
14:06:59 * Sparks is woefully ill-prepared this morning so we'll just keep this abbreviated.
14:07:26 <Sparks> #topic Open floor discussion/questions/comments
14:07:33 <Sparks> Anyone have anything?
14:08:09 <d-caf> Not really, just getting back into the swing of things from the new year
14:08:10 <pjp> The SSH PermitRootLogin feature has been announced,
14:08:33 <Sparks> pjp: Has that been figured out?
14:08:53 <pjp> Sparks: figured out?
14:09:08 <Sparks> pjp: The logistics around it all.
14:09:14 <d-caf> pjp: where was it announced?
14:09:23 <pjp> d-caf: devel-annouce
14:09:36 <d-caf> ok
14:10:14 <pjp> Sparks: Well, anaconda already supports creating non-root user, so is true for cloud images via libvirt,
14:10:26 <Sparks> okay
14:10:28 <bvincent> #link https://lists.fedoraproject.org/pipermail/devel-announce/2015-January/001492.html
14:10:54 <pjp> Sparks: even for users who do not wish to create non-root users, it is fairly easy to enable remote root login %post install via kickstart file
14:11:30 <pjp> Sparks: -> https://lists.fedoraproject.org/pipermail/security/2014-December/002061.html
14:12:24 <pjp> I guess the approach could differ slightly as per the tool used to create such images, but shouldn't be difficult or impossible,
14:12:28 <Sparks> pjp: +1
14:12:35 <Sparks> Anyone have anything else?
14:13:42 <pjp> Many of the bugs that I had pinged last month have been closed, though there are others that need to be pinged again
14:15:16 <Sparks> That's good
14:15:25 <Southern_Gentlem> ping someone on the denyhosts bug please
14:15:38 <pjp> Southern_Gentlem: ?
14:15:39 <Southern_Gentlem> https://bugzilla.redhat.com/show_bug.cgi?id=1129747
14:15:46 * pjp clicks
14:16:25 <Southern_Gentlem> the workaround works but still needs to be fixed
14:16:44 <pjp> Southern_Gentlem: Is that a security one?
14:16:58 <Southern_Gentlem> to me it should be
14:17:21 <d-caf> Fail2ban has a similar problem with crashing from heavy load
14:18:06 <bvincent> Should we be keeping packages 8 years old?
14:18:15 <bvincent> That is the last release from upstream.
14:20:31 <bochecha> so I have a question
14:20:50 <pjp> bvincent: Well, as long as there is a maintainer for it, it's okay.
14:21:00 <bochecha> recently, the security team opened bugs to one of my package, libhtp, in all fedora versions: https://bugzilla.redhat.com/show_bug.cgi?id=1173608
14:21:02 <Sparks> pjp: "maintainer"
14:21:18 <bochecha> I pushed the updates out asap (pjp even helped me figure some stuff out)
14:21:28 <bochecha> that was almost a month ago
14:21:30 <pjp> Southern_Gentlem: so what's the security impact there?
14:21:41 <bochecha> it would be nice if someone from the security team could ack that the updates actually fix the issue...
14:21:56 <bvincent> It's just funny that people use DenyHosts with TCP Wrapper (which hasn't seen an upstream release since 1997).
14:22:03 <bvincent> Better solutions exist...
14:23:13 <fenrus02> bvincent, better solutions, like what?
14:23:16 <pjp> bochecha: Maybe fedora-qa folks could help? Not sure though.
14:23:28 <bvincent> fenrus02: netfilter/iptables
14:23:47 <fenrus02> bvincent, those are broken by firewalld being default.
14:24:29 <bvincent> fenrus02: I assume that is a bug in firewalld?
14:24:51 <fenrus02> bvincent, not so much a bug as an intentional design decision.  firewalld lacks the functionality entirely.
14:25:00 <bochecha> pjp, well, security team seems better place to evaluate whether a vulnerability is fixed or not
14:25:17 <Southern_Gentlem> pip Denyhosts is a watchdog service for sshd
14:25:35 <d-caf> fenrus02: if we are trying to deny a host from brute force, then fail2ban with firewalld and iptables is a solution
14:25:58 <fenrus02> d-caf, in theory sure. again, firewalld completely lacks the required ability.
14:26:11 <fenrus02> d-caf, ipt certainly has it, no question there.
14:26:28 <pjp> bochecha: True, but testing it is fairly taxing task, considering the limited bandwidth to address current issues.
14:27:04 <Southern_Gentlem> pip this is a issue fro f20  f21 everything works
14:27:11 <bvincent> fenrus02: Are you talking about firewalld handling the entire SSH brute force protection?
14:27:20 <bochecha> pjp, sure, it still seems like the responsibility of a security team
14:27:39 <fenrus02> bvincent, no.  for example - tell firewalld to allow ssh from only 5 specific ip addresses.
14:28:00 <Sparks> fenrus02: Yeah, that feature is definitely missing in firewalld.
14:28:02 <fenrus02> bvincent, or the opposite - deny ssh attempt from only 5 specific ips
14:28:32 <bvincent> fenrus02: Sorry I meant to use iptables in conjunction with something like fail2ban. I thought you were suggesting that manual iptables entries were getting removed or changed due to firewalld.
14:28:38 <fenrus02> Sparks, i'm told that is a design decision, not a bug. is that inaccurate ?
14:28:49 <pjp> bochecha: I beg to differ on that,
14:28:52 <fenrus02> bvincent, iptables rules are clobbered by firewalld intentionally.
14:29:13 <fenrus02> bvincent, this is why i said iptables certainly can, but firewalld as a default cannot.
14:29:14 <Sparks> fenrus02: I have no idea but it's a bad decision if it's a "feature".
14:29:35 <fenrus02> Sparks, fair.  that makes it a design decision.
14:29:38 <Southern_Gentlem> pip i use denyhosts to allow only 5 ips to be able to ssh into my box the rest are moved to hosts.deny and i go on my merry way
14:29:49 <d-caf> bochecha: other than setting up my own personal lab at home, the security team doesn't have any testing resources that I know of (qa has those)
14:29:56 <bochecha> pjp, well, it seems a bit easy to open bug reports, ask a volunteer to fix something as quickly as possible, and then refuse to give him a hand testing the fix, especially when the volunteer isn't sure of the fix
14:30:14 <bochecha> d-caf, you're saying the security team doesn't even reproduce the security bugs they report?
14:30:37 <d-caf> bochecha: the security team isn't neccesarily the ones reporting the bugs
14:30:55 <bvincent> fenrus02: So any firewall changes made via iptables after firewalld starts running don't apply?\
14:30:56 <d-caf> bochecha: we just try to help encourage reported bugs to be fixed and help where we can
14:31:11 <fenrus02> bvincent, try it out.
14:31:27 <bochecha> d-caf, the blocker for the bugs I'm talking about have: Assigned To: 	Red Hat Product Security (edit) (take)
14:31:28 <fenrus02> bvincent, make some custom changes via iptables lines, then wait a few mins.  verify your changes are present
14:31:41 <bvincent> fenrus02: Great...
14:31:44 <pjp> bochecha: I understand, though as said testing it is taxing task to do for all such bugs, fedora-qa folks already do that,
14:31:47 <fenrus02> bvincent, if you want them to really stick - you have to use firewallcmd
14:32:01 <fenrus02> bvincent, which again, is massively limited
14:32:04 <d-caf> bochecha: that's not to say I don't try and test fixes where/when I can, cause I care
14:32:11 <bvincent> fenrus02: Now I know why I write the rules myself... Thanks a lot firewalld.
14:32:34 <bochecha> pjp, you're just putting the blame on another team here... we're all fedora qa
14:32:46 <d-caf> bochecha: Red Hat Product SEcurity is not the fedora security team
14:32:46 <Sparks> bochecha: We don't really have a security QE team for Fedora.
14:33:05 <pjp> bochecha: No, I'm not blaming anyone.
14:33:10 <bochecha> Sparks, that's not what this meeting is?
14:33:18 <misc> d-caf: we are speaking of Fedora, not RH
14:33:39 <bochecha> d-caf, wait, so why do I get "Red Hat Product Security" bugs in Fedora then?
14:34:09 <bochecha> if they are not the fedora security team, then I'm entirely confused
14:34:15 <d-caf> Red Hat Product Security reported the bug, and the bug also applied to Fedora (as well as redahat products)
14:34:18 <pjp> bochecha: That's because they investigate the issue for Fedora packages too.
14:34:52 <bochecha> ok, so first of all, my apologies for barging in here and accusing you (fedora security team) for the wrongdoings of the redhat security team :)
14:35:04 <d-caf> bochecha: I'm on the fedora security team, but in no way a RedHat employee
14:35:05 <bochecha> second, can we get this situation to be less confusing, please?
14:35:10 <Sparks> What is Red Hat Product Security doing wrong?
14:35:15 <d-caf> bochecha: no worries, no barging or accusing
14:35:40 <bochecha> Sparks, well, I'd rather not continue polluting this meeting with this, now that I realize I'm in the wrong place :)
14:35:55 <fenrus02> Sparks, wrong?  nothing afaict.  just their scope doesnt include fedora packages by policy.  it's nice to have them look at fedora packages though
14:36:21 <Sparks> fenrus02: They do look at Fedora packages... right before they get into RHEL.  :)
14:36:28 <d-caf> bochecha: fine place to bring up wanting your thing tested, and maybe we can find a way to help get it tested
14:36:32 <pjp> Sparks: +1
14:36:36 <misc> the issue i guess is around exceptation of the bug open
14:36:47 <bochecha> misc, exactly
14:36:48 <fenrus02> Sparks, exactly.  simply awesome would be to expand that group into looking at all fedora + rhel packages, but that costs real money
14:36:58 <Sparks> fenrus02: Yep.
14:37:01 <misc> while they are open as FYI type of bug, it seems bochecha has a different expectation regarding getting help to make sure they are fixed
14:37:12 <misc> so the question is how to reconcile the 2
14:37:25 <bochecha> finding a bug opened in Fedora packages, assigned to a « security team », I thought they were from the fedora security team (which is why I'm here)
14:37:32 <bochecha> when in fact, I should have gone somewhere else
14:37:33 <Sparks> misc: It would be great if Fedora QA would test these fixes.
14:37:44 <bvincent> fenrus02: Looks like you're right. firewallcmd-ipset is the way to go.
14:37:53 <pjp> misc: IIUC, bochecha wants to confirm if the update he pushed fixed the issue, which seems like what fedora-qa could do.
14:37:57 <bochecha> Sparks, fedora QA might not even have the expertise to understand the security issue
14:37:59 <fenrus02> Sparks, to do that - the POC would need to be in the bz report. :/
14:38:06 <misc> Sparks: yeah, but you know as well as me this requires sometime specific testing skills that not everybody have
14:38:14 <bochecha> I mean, the maintainer might not have the security expertise either (I know I don't)
14:38:16 <misc> Sparks: and fedora-qa do also ask to the reporter to test the fix
14:38:19 <Sparks> misc: Agreed.
14:38:20 <misc> so back to square 1
14:38:44 <misc> ( or at least, taht's the content of the automated message I get when there is a upgrade )
14:38:45 <Sparks> misc: To be honest, there are several square 1 issues in Fedora now that we need to look at.
14:38:47 <bvincent> fenrus02: That file uses firewall-cmd. Thanks for the info.
14:39:00 <misc> Sparks: I agree numerotation is suboptimal :)
14:39:09 <bochecha> but again, I thought I asking the reporter here, and it turns out I'm not, so I'm going to go and complain to the red hat security team, now ;)
14:39:14 <pjp> bochecha: let's see, I'll have a look at it in few days, if it's okay with you.
14:39:29 <Sparks> bochecha: I'm right here.
14:39:33 <fenrus02> bvincent, anyhow - back on track. true that denyhosts / tcpwrappers have not been updated in years - but there is no viable replacement today given the defaults.
14:39:35 <bochecha> pjp, of course it is, thank you very much :)
14:40:23 <pjp> bochecha: cool!
14:41:37 <misc> Sparks: for example, I know that not all reproducer can be shared, but some can, so adding a way to verify the problem could alleviate the problem ?
14:42:05 <misc> ( maybe that's already done, just trying to find a idea )
14:43:49 <Sparks> misc: Yes.  If the bug also exists in RHEL then QE I think puts the reproducer in the bug.
14:44:07 <jrusnack> Sparks: PST should put it in
14:44:22 <Sparks> jrusnack: +1
14:45:24 <jrusnack> so trouble are fedora-only bugs that are missing analysis from PST, which makes verification impossible. pjp talked about this in past, that FST should do analysis, right ?
14:46:05 <pjp> jrusnack: Yes, we already do that for most part
14:47:08 <jrusnack> pjp: so, if we do analyse the bug, it should have steps to reproduce. So in theory if it does, bochecha would not complain. Plus it would be FST responsiblitity (do I understand correctly) ?
14:48:48 <pjp> jrusnack: Oh, by analysis I meant whether a given bug could have security implications, why and if the patch fixes it. Steps to reproduce it quite different IMO.
14:49:26 <pjp> jrusnack: Such steps may not always be available or easily doable.
14:49:58 <jrusnack> pjp: well that is enought too. If we confirm patch fixes it, then verifying patch was applied equals to testing if it was fixed.
14:50:23 <pjp> jrusnack: Right,
14:51:16 <jrusnack> sounds good.
14:51:39 <pjp> jrusnack: What bochecha seeks to confirm is, after the patch is applied, how do we confirm that the new build is not vulnerable.
14:52:14 <jrusnack> pjp: your answer above. For fedora only bugs we do sanity only - check the patch was applied and package is sane.
14:53:07 <pjp> jrusnack: And investing the security implications is critical too.
14:53:56 <pjp> jrusnack: for ex. -> BZ#1129747 mentioned above, the implications are not readily clear, the bug is also not tagged as security one,
14:54:36 <Sparks> Okay, anyone have anything else?
14:54:39 <jrusnack> pjp: imho not vulnerability
14:56:35 <pjp> Nothing in particular for me
14:57:14 <pjp> Ah - happy new year to all! :)
14:57:36 <Sparks> Okay, everyone have a good day.  I hope to be better prepared next week.
14:57:38 <d-caf> Happy new year to you all as well!
14:58:09 <Sparks> #endmeeting