gmane.linux.gentoo.security

Ruxcon 2013 Call For Papers

2013-05-07T04:28:10

Ruxcon 2013 Call For Presentations
Melbourne, Australia, October 26th-27th
CQ Function Centre
http://www.ruxcon.org.au/call-for-papers/


The Ruxcon team is pleased to announce the Call For Presentations for Ruxcon 2013.

This year the conference will take place over the weekend of the 26th and 27th 
of October at the CQ Function Centre, Melbourne, Australia.


.[x]. About Ruxcon .[x]. 

 Ruxcon is ia premier technical computer security conference in the Australia. 
 The conference aims to bring together the individual talents of the best and 
 brightest security folk in the region, through live presentations, activities 
 and demonstrations.

 The conference is held over two days in a relaxed atmosphere, allowing 
 attendees to enjoy themselves whilst networking within the community and 
 expanding their knowledge of security.

 Live presentations and activities will cover a full range of defensive 
 and offensive security topics, varying from previously unpublished research 
 to required reading for the se

Breakpoint 2013 Call For Papers

2013-04-30T21:57:28

Breakpoint 2013 Call For Papers
Melbourne, Australia, October 24th-25th
Intercontinental Rialto
http://www.ruxconbreakpoint.com


.[x]. Introduction .[x].

 The Ruxcon team is pleased to announce Call For Papers for Breakpoint 2013.

 Breakpoint showcases the work of expert security researchers from around the
 world on a wide range of topics. This conference is organised by the Ruxcon 
 team and offers a specialised security conference to complement and lead into 
 the larger and more casual Ruxcon weekend conference. Breakpoint caters 
 towards security researchers and industry professionals alike, with a focus on 
 cutting edge security research.

 Breakpoint presents a great opportunity for our selected speakers to receive a
 complimentary trip to Australia and experience both the Breakpoint and Ruxcon 
 conferences, not to mention the great weather, awesome parties, and friendly 
 people. Melbourne is a city of many subcultures, personalities and styles. 
 Melbourne has a vibrant arts and music scene, e

Re: CVE-2012-3547 vulnerability in net-dialup/freeradius

Agostino Sarubbo — 2012-09-11T19:20:28

Please use our bugzilla for this stuff. File a new bug and proceed with your 
request.

Anyway, I see, from this advisory[1], that is enough bump the latest version.

[1]: https://secunia.com/advisories/50484/

Breakpoint 2012 Call For Papers

2012-05-10T11:48:16

                 . ______________________________________
                 ._\\.         Breakpoint 2012           (___.
                 :          Intercontinental Rialto          :
                 :           Melbourne,  Australia           :
                 :             October 17th-18th             :
                 :__                                    . ___:
                    )____________________________________\\
                                                            .
                          www.ruxconbreakpoint.com
                          www.twitter.com/ruxconbpx



Introduction
------------

 Breakpoint is a new security conference to be held on the 17th and 18th of
 October, in Melbourne Australia. The event will show case the work of expert
 security researchers from around the world on a wide range of topics.
 Breakpoint is organised by the Ruxcon conference team and will offer a
 specialised and more professional security conference to complement and lead
 into the larger and

Ruxcon 2012 Call For Papers

2012-04-19T05:04:06

Ruxcon 2012 Call For Papers

The Ruxcon team is pleased to announce the call for papers for the 2012 annual Ruxcon conference.

This year the conference will take place over the weekend of 20th and 21st of October at the CQ Function Centre, Melbourne, Australia.

The deadline for submissions is the 15th of July.


* What is Ruxcon?

Ruxcon is the premier technical computer security conference in the Australia. The conference aims to bring together the individual talents of the best and brightest security folk in the region, through live presentations, activities and demonstrations.

The conference is held over two days in a relaxed atmosphere, allowing attendees to enjoy themselves whilst networking within the community and expanding their knowledge of security.

Live presentations and activities will cover a full range of defensive and offensive security topics, varying from previously unpublished research to required reading for the security community.

For more information, please visit http://www.ruxcon.

(unknown)

qubin — 2011-12-09T06:21:59

Re: CVE-2011-4313 - BIND 9 Resolver crashes after logging an error in query.c

Matt Thode — 2011-11-17T08:48:23

On Nov 17, 2011, at 1:30 AM, David Sommerseth wrote:


https://bugs.gentoo.org/show_bug.cgi?id=390753

CVE-2011-4313 - BIND 9 Resolver crashes after logging an error in query.c

David Sommerseth — 2011-11-17T07:30:03

Hi,

This is a very fresh CVE, and I wondered if this has caught your attention?
 When would it be reasonable to expect an update for this issue?  ISC have
already released patches fixing this issue.

https://www.isc.org/software/bind/advisories/cve-2011-4313


kind regards,

David Sommerseth

Re: No GLSA since January?!?

Tobias Heinlein — 2011-08-27T13:34:27

Rich Freeman wrote, on 08/27/2011 03:06 PM:

Yes, we are aware of that. We know it's very unfortunate, but just
*stating* it doesn't get us more manpower.


We currently believe the tool *is* just a few weeks away; we plan to
meet in person at the end of September. But I don't want to promise
anything as real life may get in the way anytime.


Sure, but that is not the case. It's still possible to use the old
GLSAmaker and send out advisories; the problem is manpower. No-one
currently wants to do the work with the old tool (And no, editing XML
files manually won't motivate people either).


That's similar to the bug wrangling situation a while ago. The queue was
huge and everyone knew we needed more people to wrangle the bugs. But
how many people actually did that for more than a few? Not even a handful.

Having maintainers "care" about security just won't work out. That's why
the security team exists in the first place.

Re: No GLSA since January?!?

Rich Freeman — 2011-08-27T13:06:43

So, if we weren't able to log or update any bugs for six months, we
would probably at least give devs a spreadsheet on google docs or
something.  I wouldn't suggest that we put the distro on hold until
somebody could re-engineer bugzilla.

If we had an automatic ebuild creator and nobody created ebuilds for
six months I'd suggest that we create them by hand.

We're talking about emails and xml files - neither of which are
terribly complex.  Exact format on the former is not critical, and the
syntax of the latter can be checked with standard tools.  If on rare
occasion we get one wrong we fix it - just like we do with ebuilds
(the libpng glsa still shows stable amd64 as vulnerable, so simply
having a tool doesn't prevent mistakes).


I have no doubt that automation is better than no automation.
However, that isn't really what we're discussing here.  What we're
talking about is GLSAs vs no GLSAs.  Working automated GLSAs
apparently don't exist right now.  It is wonderful that a bunch of
people are looking to

Re: No GLSA since January?!?

Tobias Heinlein — 2011-08-27T12:34:39

Rich Freeman wrote, on 08/27/2011 02:13 PM:

I have read that idea multiple times now, each of them by people not on
the security team or something similar. It just doesn't work that way.
It's like suggesting to ditch Bugzilla and instead enter bugs manually
with SQL commands into a database. Well, not quite, but you get the idea.

Also, as previously stated, we know that the tool sucks, which is why
Alex has been working for months on new tools. We really wouldn't spend
that much time on that if it wasn't worth it.

Re: No GLSA since January?!?

Rich Freeman — 2011-08-27T12:13:02

The current GLSA mechanism already provides both of these.  There are
the email notifications, and there is an xml file that provides the
masking information (which the glsa-checker tool and some package
managers use).

From what I've seen (from a distance), the problem seems to be that
both of these are created using a software tool which is apparently
very cumbersome to use.  However, both are just text files.

Part of me wonders if a workflow like this would help solve the problem:

1.  Some contributor posts a GLSA email and xml file to a security
bug.  This could be anybody.  The content would be trimmed down a bit
- perhaps just a CVE reference, and then the information on vulnerable
and non-vulnerable versions.

2.  Somebody on staff with commit access to the xml tree and the
mailing list would review and send out the advisory, and mark this as
done in the bug.

I also wonder if there would be in value in sending out the notice
after the fixed version is in the tree but before it is stable.  Right
no

Re: No GLSA since January?!?

Christian Kauhaus — 2011-08-27T08:49:09

Am 26.08.2011 20:08, schrieb Kevin Bryan:

Your idea sounds interesting and could lead to very cool technology like the 
'ACCEPT_RISKS="..."' variable mentioned elsewhere in this thread.

But it does not solve a major part of the use case. In my opinion, we need to 
get notifications about security risks over an independent channel without 
having to update the portage tree.

For me (and the rest of my company) the greatest advantage of Gentoo over 
other distributions it it's "continuous integration" approach. Updates get 
committed to the portage tree continuously over time and administrators are 
completely free on how often and when they update their systems. This is 
great. But given I have an installed base and I have no reason to update the 
portage tree now, I need a reliable information about "this package is 
borked". Then I should go for update as fast as possible of course. :-)

So in consequence I would appreciate to have both mechanisms: a timely 
up-front notification via GLSAs (probably more

Re: No GLSA since January?!?

Daniel A. Avelino — 2011-08-26T23:38:50

But Alex, this could be a great improvement in system at all. This can
help administrators to measure better its systems, and may be "force"
developers to solve issues faster.

What do you think?


Daniel

On 8/26/11, Alex Legler <a3li< at >gentoo.org> wrote:

Re: No GLSA since January?!?

Alex Legler — 2011-08-26T22:27:33

I see this as an addition to sending advisories after fixing an issue, not as 
a solution to the issue at hand.

Re: No GLSA since January?!?

Daniel A. Avelino — 2011-08-26T20:40:49

I like this approach but I have no idea about how this could be performed.

ACCEPT_RISKS="remote dos"  emerge ...

Sounds very cool to me.

Daniel

On 8/26/11, Kevin Bryan <bryank< at >cs.uri.edu> wrote:

Re: No GLSA since January?!?

Kevin Bryan — 2011-08-26T20:02:56

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I was not considering the entire process, just the part that really
impacts me: identifying vulnerable and patched packages.  Full
advisories are nice, but really what I want to know is when I need to
update a particular package.

You are right that marking the packages that contain fixes doesn't
really scale because of increased baggage to carry forward.

The problem I have with GLSA's is that they don't come out until after
the problem has been fixed.  

Perhaps it would be better to just have a system to label a particular
ebuild/version as vulnerable.  Maybe something closer to package.mask,
but for security would be appropriate.  With a package.security_mask,
you could have anyone on the security project update that file with
packages as soon as they know about it and while they are waiting on the
devs to fix it.  References/links/impact could be noted in the comments
above, as package.mask does now.

As for interacting with 'emerge', I don't think we want

Re: No GLSA since January?!?

Joost Roeleveld — 2011-08-26T19:30:02

Alex,

If my reply seemed, in any way, to suggest I do not appreciate the amount of 
work that has been going into the GLSAs and the difficulty in finding the 
people to keep doing it, then I am sorry.
It wasn't meant to sound that way.

I'll go read the Padawan page and see if there is anything I can do.

For others, the padawan-page can be found here:
http://www.gentoo.org/security/en/padawans.xml

--
Joost

Re: No GLSA since January?!?

Daniel A. Avelino — 2011-08-26T19:27:03

Alex.

For WEB vulnerability discovering, one of the most important to us is Nessus
to
search and confronting against CVE database. Sometimes, Nessus find some
vulnerable packages in our Gentoo boxes and when we go to emerge -UDN this,
there is not the updated version even when the fixes are available [in other
distros
for example].

The Core Impact

http://www.coresecurity.com/

do a great job too but we only tested the demo version. [That is great too].

There is other interesting tool [not really WEB related but...] the Secunia
PSI

http://secunia.com/vulnerability_scanning/online/

that do a great job in search unupdated packages but Windows only.

Reading your last answer, I had the impression we are talking about
different things but I think
I can connect them. My apologies to speculate without read the complete team
work documentation
but even if issue correction is not our job as you said, I think we could
pressure package maintainers
to update its packages since we (in thesis) have more visibility a

Re: No GLSA since January?!?

Alex Legler — 2011-08-26T18:44:06

We already use CVE as one of our sources of vulnerability intelligence. 
Finding issues is also not the real issue here.
Also, actual issue correction is not our job, it's the responsibility of the 
package maintainer.

Can you share details about the utilities you are using?

Alex

Re: No GLSA since January?!?

Daniel A. Avelino — 2011-08-26T18:41:58

Hi Kevin.

That is an interesting idea. So one could check about vulnerabilies
solutions
_before_ package installation. And better. This could give us a measure
about
how secure [think a little bit ahead] packages in portage tree are.

Actually, there are some mechanisms to know what is the mean time
corrections are
provided when one look to portage's tree as a whole?

I like this idea and would like to suggest two other variables

SECURITY_CORRECTION_DATE
SECURITY_DISCOVERY_DATE

containing the date the correction was published on portage tree and
the date the problem was post [may be in bugzilla]

Let me go back and continue to read Security Project documentation.


Regards,

Daniel A. Avelino


On Fri, Aug 26, 2011 at 3:08 PM, Kevin Bryan <bryank< at >cs.uri.edu> wrote: