'Re: Bind update (CVE-2016-2776)?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       fedora-devel-list
Subject:    Re: Bind update (CVE-2016-2776)?
From:       Jaroslav Reznik <jreznik () redhat ! com>
Date:       2016-09-29 11:12:03
Message-ID: CAMDqk56Pmk4nTTDj3PCT03buJjtpaR9=8gUOChZ-JRdf1jAYVw () mail ! gmail ! com
[Download RAW message or body]

On Thu, Sep 29, 2016 at 10:36 AM, Igor Gnatenko <ignatenko@redhat.com> \
wrote:
> On Thu, Sep 29, 2016 at 10:08 AM, Tomas Hozza <thozza@redhat.com> wrote:
> > On 09/29/2016 06:19 AM, Bojan Smojver wrote:
> > > Could someone with sufficient access please spin up an update of bind
> > > for F-24 and other flavours of Fedora. That CVE looks like a pretty
> > > serious DoS. This has already been fixed in RHEL.
> > > 
> > > Thanks,
> > > 
> > 
> > Hi.
> > 
> > I'll be pushing the updates shortly. The problem with Fedora is that we \
> > can not prepare the update in advance as for RHEL, because everything \
> > (git repos, update system, etc.) is public.
> You mean before CVE has been published? Or what's the problem with being \
> public?

In some cases, the security bugs are embargoed (so everyone has enough
time to get ready for the fix) but it doesn't go very well with how
our infrastructure works. Everything is public, so you can't commit,
you can't build and test ahead of time to get it released when embargo
is lifted. And it can take time. Some time ago OpenJDK guys contacted
me as they were hit by it and I created Board ticket for hidden
private builds. Board was ok with it (although it was difficult to
explain embargo concept ;-) [1] but with the amount of changes needed
in the infrastructure...

[1] http://fedoraproject.org/wiki/Meeting:Board_meeting_2012-10-03#.23144:_Hidden_Private_Builds


R.

> > 
> > Regards,
> > Tomas
> > --
> > Tomas Hozza
> > Associate Manager, Software Engineering - EMEA ENG Mainstream RHEL
> > 
> > PGP: 1D9F3C2D
> > UTC+2 (CEST)
> > Red Hat Inc.                 http://cz.redhat.com
> > _______________________________________________
> > devel mailing list -- devel@lists.fedoraproject.org
> > To unsubscribe send an email to devel-leave@lists.fedoraproject.org
> 
> 
> 
> --
> -Igor Gnatenko
> _______________________________________________
> devel mailing list -- devel@lists.fedoraproject.org
> To unsubscribe send an email to devel-leave@lists.fedoraproject.org



-- 
Jaroslav Řezník <jreznik@redhat.com>
Engineering Program Manager

Office: +420 532 294 645
Mobile: +420 602 797 774
PIN: REZZABBM
Red Hat, Inc.                               http://www.redhat.com/
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-leave@lists.fedoraproject.org


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic