On Wednesday 13 November 2013 10:14:48 Dominique Leuenberger a.k.a. Dimstar
wrote:
> Quoting Michal Vyskocil <mvyskocil(a)suse.cz>:
> > Hi all,
> >
> > in order to get back to the work, I would like to point your attention
> > to https://build.opensuse.org/request/show/206502
> >
> > Tomcat got new release manager, which means changed tomcat.keyring. As
> > there is no policy how to do that, I've made my best. So tomcat.keyring
> > does use only new key and it is mentioned in .changes including new key
> > and a linked to svn commit adds the new id to tomcat7/KEYS file.
> >
> > Is there anything else you'd like to mention?
>
> Michal,
>
> I'd seen that request and I really appreciate the way it's documented.
> It shows that there has been clear thought and not 'just replacing'
> the .keyring.
>
> Replacing the .keyring MUST be a sensible topic for the review team
> (if not: we can as well remove the logic: if injecting a random
> keyring into the package does not result in the verification of the
> keyring, it's wasted space).
I fail to see why this pops up now when a .keyring was changed. Did somebody
verify how those .keyring files where created in the first place? As long as we
don't have an automated way to trust keyring files, we have zero security
gained.
Others have state that the keyring files shouldn't be part of the package
they're supposed to validate. Maybe only a very small set of trusted users
would be allowed to change that.
We only need a package with openSUSE's blessed keyring and require that for
gpg-offline verification during build. Put that package into Base:System or
openSUSE:Tools or wherever it's save enough and have the security team be the
only maintainers. As a Factory reviewer, you would normally trust SUSE's
security team and wave through changes to the keyring package.
Net result, one less review task that was spoiled since it's inception anyway.
CC'ed the sec guys therefore...
> I did not yet have time to actually do the KR validation.. but from a
> .changes entry, I think it's just right.
As said, I can certainly live with mentioning it. Maybe it's even a good idea.
It's just not helping anybody ATM.
--
Sascha Peilicke
SUSE Linux GmbH, Maxfeldstr. 5, D-90409 Nuernberg, Germany
GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer HRB 16746 (AG Nürnberg)
This is an add-on package that would allow users to upload files through a web server. Although the bug sounds bad, I can't imagine that any of our sites are running this; I checked a few and I can't find it even installed anywhere. It can wait for the next scheduled patching.
Company policy requires: This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
-----Original Message-----
From: opensuse-security(a)opensuse.org [mailto:opensuse-security@opensuse.org]
Sent: Tuesday, November 12, 2013 10:04 AM
To: opensuse-security-announce(a)opensuse.org
Subject: [security-announce] SUSE-SU-2013:1660-1: important: Security update for jakarta-commons-fileupload
SUSE Security Update: Security update for jakarta-commons-fileupload
______________________________________________________________________________
Announcement ID: SUSE-SU-2013:1660-1
Rating: important
References: #846174
Cross-References: CVE-2013-2186
Affected Products:
SUSE Linux Enterprise Server 11 SP3 for VMware
SUSE Linux Enterprise Server 11 SP3
SUSE Linux Enterprise Server 11 SP2 for VMware
SUSE Linux Enterprise Server 11 SP2
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
jakarta-commons-fileupload received a security fix:
* A poison null byte flaw was found in the
implementation of the DiskFileItem class. A remote attacker
could able to supply a serialized instance of the
DiskFileItem class, which would be deserialized on a
server, could use this flaw to write arbitrary content to
any location on the server that is permitted by the user
running the application server process. (CVE-2013-2186)
Security Issue reference:
* CVE-2013-2186
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2186
>
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Server 11 SP3 for VMware:
zypper in -t patch slessp3-jakarta-commons-fileupload-8446
- SUSE Linux Enterprise Server 11 SP3:
zypper in -t patch slessp3-jakarta-commons-fileupload-8446
- SUSE Linux Enterprise Server 11 SP2 for VMware:
zypper in -t patch slessp2-jakarta-commons-fileupload-8445
- SUSE Linux Enterprise Server 11 SP2:
zypper in -t patch slessp2-jakarta-commons-fileupload-8445
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Linux Enterprise Server 11 SP3 for VMware (noarch):
jakarta-commons-fileupload-1.1.1-1.35.1
jakarta-commons-fileupload-javadoc-1.1.1-1.35.1
- SUSE Linux Enterprise Server 11 SP3 (noarch):
jakarta-commons-fileupload-1.1.1-1.35.1
jakarta-commons-fileupload-javadoc-1.1.1-1.35.1
- SUSE Linux Enterprise Server 11 SP2 for VMware (noarch):
jakarta-commons-fileupload-1.1.1-1.35.1
jakarta-commons-fileupload-javadoc-1.1.1-1.35.1
- SUSE Linux Enterprise Server 11 SP2 (noarch):
jakarta-commons-fileupload-1.1.1-1.35.1
jakarta-commons-fileupload-javadoc-1.1.1-1.35.1
References:
http://support.novell.com/security/cve/CVE-2013-2186.htmlhttps://bugzilla.novell.com/846174http://download.novell.com/patch/finder/?keywords=4e850046eae7d47e6c4921a62…http://download.novell.com/patch/finder/?keywords=56b6ca4a38407b07a824c188a…
--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org
--
To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org
To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org