* bind: issue in trust anchor management can cause named to crash (CVE-2015-1349)
@ 2015-03-11 8:06 Sona Sarmadi
2015-03-11 23:28 ` Alexandru Vaduva
0 siblings, 1 reply; 5+ messages in thread
From: Sona Sarmadi @ 2015-03-11 8:06 UTC (permalink / raw)
To: yocto-security; +Cc: yocto
Affects version 9.7.0 - 9.10.1-P1. In master we use bind 9.9.5.
// Sona
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: bind: issue in trust anchor management can cause named to crash (CVE-2015-1349)
2015-03-11 8:06 bind: issue in trust anchor management can cause named to crash (CVE-2015-1349) Sona Sarmadi
@ 2015-03-11 23:28 ` Alexandru Vaduva
2015-03-12 7:35 ` Sona Sarmadi
0 siblings, 1 reply; 5+ messages in thread
From: Alexandru Vaduva @ 2015-03-11 23:28 UTC (permalink / raw)
To: Sona Sarmadi, yocto-security; +Cc: yocto
[-- Attachment #1: Type: text/plain, Size: 550 bytes --]
Wouldn`t it be better for the bugs to be only mentioned on the security list?It is my opinion that know about a risk before it is fixed could cause more harm then good.What do you thing about this?
Alex Vaduva
On Wednesday, March 11, 2015 10:06 AM, Sona Sarmadi <sona.sarmadi@enea.com> wrote:
Affects version 9.7.0 - 9.10.1-P1. In master we use bind 9.9.5.
// Sona
--
_______________________________________________
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[-- Attachment #2: Type: text/html, Size: 1768 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: bind: issue in trust anchor management can cause named to crash (CVE-2015-1349)
2015-03-11 23:28 ` Alexandru Vaduva
@ 2015-03-12 7:35 ` Sona Sarmadi
2015-03-12 15:57 ` Benjamin Esquivel
0 siblings, 1 reply; 5+ messages in thread
From: Sona Sarmadi @ 2015-03-12 7:35 UTC (permalink / raw)
To: Alexandru Vaduva, yocto-security; +Cc: yocto
[-- Attachment #1: Type: text/plain, Size: 1192 bytes --]
Hi Alex,
Yes I agree with you but this is already a public CVE. Maybe in the future we will/should just discuss security related issues in the yocto-security@yoctoproject.org<mailto:yocto-security@yoctoproject.org> mailing list, but right now we don’t have many members so I copy to the yocto@yoctoproject.org<mailto:yocto@yoctoproject.org> list as well.
My intention is to make the list aware of security vulnerabilities/CVEs which keep coming all the time. I encourage everyone to do this. We will soon or later create a bug in Bugzilla if needed or just backport the CVE to our version or upgrade the recipes in the affected package to the version which is not vulnerable.
//Sona
From: Alexandru Vaduva [mailto:vaduvajanalexandru@yahoo.com]
Sent: den 12 mars 2015 00:28
To: Sona Sarmadi; yocto-security@yoctoproject.org
Cc: yocto@yoctoproject.org
Subject: Re: [yocto] bind: issue in trust anchor management can cause named to crash (CVE-2015-1349)
Wouldn`t it be better for the bugs to be only mentioned on the security list?
It is my opinion that know about a risk before it is fixed could cause more harm then good.
What do you thing about this?
Alex Vaduva
[-- Attachment #2: Type: text/html, Size: 5724 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: bind: issue in trust anchor management can cause named to crash (CVE-2015-1349)
2015-03-12 7:35 ` Sona Sarmadi
@ 2015-03-12 15:57 ` Benjamin Esquivel
2015-03-13 7:59 ` Sona Sarmadi
0 siblings, 1 reply; 5+ messages in thread
From: Benjamin Esquivel @ 2015-03-12 15:57 UTC (permalink / raw)
To: Sona Sarmadi; +Cc: yocto-security, yocto
On Thu, 2015-03-12 at 07:35 +0000, Sona Sarmadi wrote:
> Hi Alex,
>
>
>
> Yes I agree with you but this is already a public CVE. Maybe in the
> future we will/should just discuss security related issues in the
> yocto-security@yoctoproject.org mailing list, but right now we don’t
> have many members so I copy to the yocto@yoctoproject.org list as
> well.
>
I think this list is not published in the yocto lists page:
https://www.yoctoproject.org/tools-resources/community/mailing-lists
And, who would be able to subscribe to it? invite-only? public?
>
>
> My intention is to make the list aware of security
> vulnerabilities/CVEs which keep coming all the time. I encourage
> everyone to do this. We will soon or later create a bug in Bugzilla if
> needed or just backport the CVE to our version or upgrade the recipes
> in the affected package to the version which is not vulnerable.
>
>
>
> //Sona
>
>
>
> From: Alexandru Vaduva [mailto:vaduvajanalexandru@yahoo.com]
> Sent: den 12 mars 2015 00:28
> To: Sona Sarmadi; yocto-security@yoctoproject.org
> Cc: yocto@yoctoproject.org
> Subject: Re: [yocto] bind: issue in trust anchor management can cause
> named to crash (CVE-2015-1349)
>
>
>
>
> Wouldn`t it be better for the bugs to be only mentioned on the
> security list?
>
>
> It is my opinion that know about a risk before it is fixed could cause
> more harm then good.
>
>
> What do you thing about this?
>
>
>
>
>
>
>
>
> Alex Vaduva
>
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: bind: issue in trust anchor management can cause named to crash (CVE-2015-1349)
2015-03-12 15:57 ` Benjamin Esquivel
@ 2015-03-13 7:59 ` Sona Sarmadi
0 siblings, 0 replies; 5+ messages in thread
From: Sona Sarmadi @ 2015-03-13 7:59 UTC (permalink / raw)
To: benjamin.esquivel; +Cc: Alexandru Vaduva, yocto-security, yocto
Hi Benjamin,
> I think this list is not published in the yocto lists page:
> https://www.yoctoproject.org/tools-resources/community/mailing-lists
> And, who would be able to subscribe to it? invite-only? public?
This mailing list is an open list to discuss security related activities (mainly for those who contributes the Yocto Project with security updates/patches etc). We have some info about this list at https://wiki.yoctoproject.org/wiki/Security page, we should add this mailing list to https://www.yoctoproject.org/tools-resources/community/mailing-lists as well.
Thank you for addressing this.
//Sona
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2015-03-13 7:59 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-03-11 8:06 bind: issue in trust anchor management can cause named to crash (CVE-2015-1349) Sona Sarmadi
2015-03-11 23:28 ` Alexandru Vaduva
2015-03-12 7:35 ` Sona Sarmadi
2015-03-12 15:57 ` Benjamin Esquivel
2015-03-13 7:59 ` Sona Sarmadi
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.