Re: Security bugs in unmaintained/maintenerless librsvg



On Mon, 2015-02-02 at 12:15 +0100, Olav Vitters wrote:
On Mon, Feb 02, 2015 at 11:31:38AM +0100, Dimstar / Dominique Leuenberger wrote:
On Sun, 2015-02-01 at 23:45 +0100, Olav Vitters wrote:
Hello distributors,

We've received various security bugs about librsvg. As that module is
unmaintained, these bugs have not been fixed. These bugs and various
others will be made public really soon. Possibly as of next week.

Maintainers for librsvg welcome. In any case, take note.

Feel free to discuss here or on desktop-devel-list gnome org (make sure
you're subscribed).
[..]
being part of a distribution team: do you have any information you can
share on this topic or do we have to wait it to become fully public?

Maybe we can even throw in some man power; worthy to be explored.

We received various details on bugs already. The normal process is that
we forward this to the maintainer and it is fixed. There's nothing in
place when there's no maintainer. As release team, we thought it was
maybe better to have a few security people on security gnome org 
However, we never actioned it and now have these bugs.

So one way to proceed would maybe be to some known opensuse security
person to security gnome org, then setup Bugzilla permissions as well.

Olav,

I passed this idea through the folks of the security team at SUSE and
the idea was well received.

Depending on how it can be setup, it would be great to be able to use
security suse de as a member mail address (that would obviously be the
security team in its complete form) or Johannes Segitz (jsegitz suse de)
and Marcus Meissner (meissner suse de) as the two main people in this
area.

Anything else you need to get this started?

I'm guessing we should also add Red Hat / Fedora. We had people showing
interest quite a while ago.

Yes, I think having the major distros partake in this would certainly
make sense.

Note: security gnome org was mainly used (until libsrvg) to either rant
or ask random support questions. Any security person can ignore those,
it'll be handled by release team. People sometimes email maintainers
directly, sometimes we're a post office.

Anyone who's interested probably should be willing to improve anything
that's lacking.


-- 
Dimstar / Dominique Leuenberger <dimstar opensuse org>



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]