Jo | 9 Apr 18:39 2014
Picon

Regeneration of gpg keys after HeartBleed

Hi all, this is my first post in this list, so again Hi all!

I'm a bit concerned about the signing keys of the portage tree releases,
I know that gpg is not the same as openssl but keeping in mind that SSH,
VPN, HTTPS keys might be compromised for two years, don't you think it's
a healthy measure to generate a new pair of keys?

Thank you

Samuel Damashek | 18 Jan 05:25 2014
Picon

glksa-check Proof of Concept


At the request of creffett, I created a Proof of Concept for
glksa-check, which allows for glksa XML files to define Kernel
security vulnerabilities. Please realize that this is a Proof of
Concept, and that the interface is not the most user-friendly. The
code can definitely be improved as well. To test the program, untar
the files and copy the glksa dir to /usr/portage/metadata/. At the
moment, the script requires you to have /proc/config.gz enabled in
your kernel to read your running config options.

I have two XML files currently defined (still using the glsa.dtd
schema); one that is an actual vulnerability and one that is simply a
control that triggers on X86. To test the program, run it with the -l
option.

You can download the files at http://sdamashek.me/files/glksa.tar.gz
(not sure if the mailing lists let you attach tarballs). There is
definitely a lot to be improved about the application; this is just an
idea for how to handle notifying users about Kernel vulnerabilities
that affect their system. They would be released just like glsas. What
are the list's opinions on this?

--
Samuel Damashek
Sascha Wolf | 10 Jan 16:02 2014
Picon

Soliciting feedback for the GLSA-2 format

Hi,

I  find  the  new  version of GLSA format very interesting, especially
with the backdrop of the automated evaluation of vulnerabilities.

Would  it  be  possible  to  specify  in  which branch of Gentoo, this
program is usually installed? For example, "stable" or "unstable"?

So you can better see if you are actively involved or not.

--

-- 
Best regards,
 Sascha Wolf
Attachment (smime.p7s): application/pkcs7-signature, 7827 bytes
Samuel Damashek | 8 Jan 03:28 2014
Picon

Re: Kernel Vulnerability Handling and Classification Criteria


Max,

> Hello Samuel, are security vulnerabilities not classified by
> cve.mitre.org in a way that can be simply and consistently
> leveraged? I wouldn't expect gentoo to implement kernel patches
> before the Linux kernel maintainers blessed the patch, and I'd
> imagine that a cve number would have been assigned by then, our am
> I  mistaken?
Yes, CVE's are assigned to kernel vulnerabilities, and I'm thinking
that in general, these criteria would be applied after they are
assigned a CVE (although that's not a requirement of course). We have
our own criteria for Portage packages because it can take time before
the issues are classified by MITRE, and the classifications aren't
Gentoo specific (correct me if I'm wrong here).

--
Samuel
Samuel Damashek | 8 Jan 03:04 2014
Picon

Kernel Vulnerability Handling and Classification Criteria


At the moment, we don't have an accepted and documented way to handle
Kernel CVEs. Right now, they're just being filed and then maybe being
resolved when upstream commits a patch.

I believe we need some way of judging priority and severity of kernel
vulnerabilities to improve bug handling and make sure that we stay
up-to-date with current patches being released. Linux kernel
development is very fast paced, so we should set up a clear system,
much like we have right now for packages in Portage, to facilitate the
filing and management of these bugs.

I'm not really a kernel guy, but there are some things that I can
figure out and propose without knowing much about kernel internals.
First, we could classify priority (giving it a letter grade) by
considering whether the issue is in kernel code that is enabled by
default, or whether the user has to enable the vulnerable code in the
kernel config. We could also use the tilde (~) as a grade when the
vulnerable code is marked EXPERIMENTAL in the config, much like we do
for unstable packages.

As far as severity goes, I think that severity would be similar to
what we have at the moment for packages, with maybe some minor
improvements to make the descriptions relevant. Priority and severity
could then be translated to an appropriate Whiteboard grade for better
tracking.

We need to develop and agree on solid criteria so that bug wranglers
can classify security issues efficiently.

(Continue reading)

Alex Legler | 8 Jan 02:14 2014
Picon

Soliciting feedback for the GLSA-2 format

Now that we've been growing a bit in numbers and have managed to get the
GLSA circulation back on track, it is time to finally talk about the new
GLSA format that has been planned for quite a while.
The main goal of the new format is to support slots which is a feature
especially glsa-check users will welcome. [1]
Besides, it has become clear that filling in information in the level of
detail the current format provides takes too much time while  drafting
advisories.

Tobias and I took a bit of time today to combine all desired changes
into a new sample document:

	http://a3li.li/~alex/gentoo/security/glsa-2-example.xml

Quick outline of the most important changes:

- Synopsis removed: The title provides a quick overview of the issues,
while the new shorter description provides details, yet briefly as well.
People requiring even more information can use the linked CVE entries,
bugs, and other references.

- Product and GLSA type removed: There are only 'ebuild' type GLSAs
issued, the other types are no longer needed. Product was linked to that.

- Packages section reworked: While adding Slot support we tried to get a
new, simple, range-based scheme for marking vulnerable versions. The
flexibility the range operators offered before was hardly ever used
(mostly just to work around the lacking Slot support). We'd especially
like feedback in this area, I fear we might be missing some
functionality here. Quick explanation:
(Continue reading)

cfp | 15 Jul 05:54 2013
Picon

Ruxcon 2013 Final Call For Papers

Ruxcon 2013 Final Call For Papers
Melbourne, Australia, October 26th-27th
CQ Function Centre
http://www.ruxcon.org.au/call-for-papers/

The Ruxcon team is pleased to announce the final call for papers for Ruxcon.

This year the conference will take place over the weekend of the 26th and 27th 
of October at the CQ Function Centre, Melbourne, Australia.

The deadline for submissions is the 31st of August.

.[x]. About Ruxcon .[x]. 

 Ruxcon is ia premier technical computer security conference in the Australia. 
 The conference aims to bring together the individual talents of the best and 
 brightest security folk in the region, through live presentations, activities 
 and demonstrations.

 The conference is held over two days in a relaxed atmosphere, allowing 
 attendees to enjoy themselves whilst networking within the community and 
 expanding their knowledge of security.

 For more information, please visit the http://www.ruxcon.org.au

.[x]. Important Dates .[x].

 August 31 - Call For Presentations Close
 October 26-27 - Ruxcon Conference

(Continue reading)

cfp | 7 May 06:28 2013
Picon

Ruxcon 2013 Call For Papers

Ruxcon 2013 Call For Presentations
Melbourne, Australia, October 26th-27th
CQ Function Centre
http://www.ruxcon.org.au/call-for-papers/

The Ruxcon team is pleased to announce the Call For Presentations for Ruxcon 2013.

This year the conference will take place over the weekend of the 26th and 27th 
of October at the CQ Function Centre, Melbourne, Australia.

.[x]. About Ruxcon .[x]. 

 Ruxcon is ia premier technical computer security conference in the Australia. 
 The conference aims to bring together the individual talents of the best and 
 brightest security folk in the region, through live presentations, activities 
 and demonstrations.

 The conference is held over two days in a relaxed atmosphere, allowing 
 attendees to enjoy themselves whilst networking within the community and 
 expanding their knowledge of security.

 Live presentations and activities will cover a full range of defensive 
 and offensive security topics, varying from previously unpublished research 
 to required reading for the security community. 

 For more information, please visit the http://www.ruxcon.org.au

.[x]. Important Dates .[x].

 May 7th - Call For Presentations Open
(Continue reading)

cfp | 30 Apr 23:57 2013
Picon

Breakpoint 2013 Call For Papers

Breakpoint 2013 Call For Papers
Melbourne, Australia, October 24th-25th
Intercontinental Rialto
http://www.ruxconbreakpoint.com

.[x]. Introduction .[x].

 The Ruxcon team is pleased to announce Call For Papers for Breakpoint 2013.

 Breakpoint showcases the work of expert security researchers from around the
 world on a wide range of topics. This conference is organised by the Ruxcon 
 team and offers a specialised security conference to complement and lead into 
 the larger and more casual Ruxcon weekend conference. Breakpoint caters 
 towards security researchers and industry professionals alike, with a focus on 
 cutting edge security research.

 Breakpoint presents a great opportunity for our selected speakers to receive a
 complimentary trip to Australia and experience both the Breakpoint and Ruxcon 
 conferences, not to mention the great weather, awesome parties, and friendly 
 people. Melbourne is a city of many subcultures, personalities and styles. 
 Melbourne has a vibrant arts and music scene, eccentric cafes, intimate bars 
 and restaurants, and is known as Australia's cultural capital.

.[x]. Important Dates .[x].

 May 1  - Call For Presentations Open
 August 23  - Call For Presentations Close
 October 22-23	- Breakpoint Training
 October 24-25	- Breakpoint Conference
 October 26-27	- Ruxcon Conference
(Continue reading)

Agostino Sarubbo | 11 Sep 21:20 2012
Picon

Re: CVE-2012-3547 vulnerability in net-dialup/freeradius

On Tuesday 11 September 2012 16:56:09 Štefan Sakalík wrote:
> Hi,
> we are affected by this vulnerability so I have created a patch for
> freeradius-2.1.11-r1 (in attachment) inspired by upstream patch in git
> at git://git.freeradius.org/freeradius-server.git , commit 684dce7da5fd078.
> Please review this patch and include it in gentoo since it's a rather
> severe vulnerability.
Please use our bugzilla for this stuff. File a new bug and proceed with your 
request.

Anyway, I see, from this advisory[1], that is enough bump the latest version.

[1]: https://secunia.com/advisories/50484/
--

-- 
Agostino Sarubbo / ago -at- gentoo.org
Gentoo/AMD64 Arch Security Liaison
GPG: 0x7CD2DC5D
cfp | 10 May 13:48 2012
Picon

Breakpoint 2012 Call For Papers

_________/_ _ _ _\________ \ / _______\ \__/_ _ _ _ _ _/_________/_ _ _/ __/_______/ \\ __/ __________/ _/_____ _\ \__ / _ / \___ ___________ __\______ \__ / / //____ /________\\ /_\ _ /_\ _/ / _/ / /____________\ \________/ /____/_____ _/ \ \ _____________ \___ /_________\ \ \ __\ /_/_ _ _ /_____________\ /________/\ \ / __/ /__________ ______ _________ ________ \_______\ _/ \________\ __ /__ \ / ______\ /_ _\ /__ _\ / / / _/__\ /___\ /_/ __/ //_________\ /__ / \ \/ / / /_ /_______ /____________// /________\ /____ \ / _ _ _/_ / _ _/___________\ /_____________\_ _ /_______/ / - --- Breakpoint 2012 --- - \ . ______________________________________ ._\\. (___. : Intercontinental Rialto : : Melbourne, Australia : : October 17th-18th : :__ . ___: )____________________________________\\ . www.ruxconbreakpoint.com www.twitter.com/ruxconbpx b p .____. --|-r--o-| _|_______________---------------------------------------------|- | e i | \_ \ _ / Introduction | -|-a--n-|_________/ /_____\---------------------------------------------|-- k t |____| Breakpoint is a new security conference being held on the 17th and 18th of October 2012, in Melbourne Australia. The event will show case the work of expert security researchers from around the world on a wide range of topics. Breakpoint is organised by the Ruxcon conference team and will offer a specialised and more professional security conference to complement and lead into the larger and more casual Ruxcon weekend conference. Breakpoint will cater towards security researchers and industry professionals alike, with a focus on cutting edge security research. With just one day separating both conferences, Breakpoint presents a great opportunity for our selected speakers to receive a complimentary trip to Australia and experience both the Breakpoint and Ruxcon conferences, not to mention the great weather, awesome parties, and friendly people. Melbourne is Australia's cultural capital, with Victorian-era architecture, extensive shopping, museums, galleries, theatres, and large parks and gardens. It is a city of many subcultures, personalities and styles, and it is these layers that make it so interesting. Melbourne has a vibrant arts and music scene, eccentric cafes, cobbled lane-ways, quirky shops, intimate bars and restaurants, and is known as one of the world's great streetart capitals. b p .____. --|-r--o-| _|_______________---------------------------------------------|- | e i | \_ \ _ / Important Dates | -|-a--n-|_________/ /_____\---------------------------------------------|-- k t |____| * May 10 Call For Presentations Open * July 30 Call For Presentations Close * October 15-16 BreakPoint Training * October 17-18 BreakPoint Conference * October 20-21 Ruxcon Conference b p .____. --|-r--o-| _|_______________---------------------------------------------|- | e i | \_ \ _ / Topic Scope | -|-a--n-|_________/ /_____\---------------------------------------------|-- k t |____| Topics of interest include, but are not limited to: o Mobile Device Security o Exploitation Techniques o Reverse Engineering o Vulnerability Discovery o Rootkit Development o Malware Analysis o Code Analysis o Virtualization, Hypervisor Security o Cloud Security o Embedded Device Security o Hardware Security o Telecommunications Security o Wireless Network Security o Web Application Security o Law Enforcement Activities o Forensics o Threat Intelligence o You get the idea b p .____. --|-r--o-| _|_______________---------------------------------------------|- | e i | \_ \ _ / Submission Guidelines | -|-a--n-|_________/ /_____\---------------------------------------------|-- k t |____| In order for us to process your submission we will require the following information: 1. Presentation title 2. Detailed summary of your presentation material 3. Name/Nickname 4. Mobile phone number 5. Brief personal biography 6. Description of any demonstrations involved in the presentation 7. Information on where the presentation material has or will be presented before Breakpoint * Preference will be given to presentations that contain original research that will be first presented at Breakpoint. * As a general guideline, BreakPoint presentations are between 45 and 60 minutes, including question time. If you have any enquiries about submissions, or would like to make a submission, please send an email to bpx <at> ruxconbreakpoint.com. b p .____. --|-r--o-| _|_______________---------------------------------------------|- | e i | \_ \ _ / Speaker Benefits | -|-a--n-|_________/ /_____\---------------------------------------------|-- k t |____| Speakers at BreakPoint will be entitled to the following benefits: - A return economy airfare to Melbourne (total cost limit applies) - Three nights acommodation at the Intercontinental Rialto - Complimentary registration for Breakpoint and Ruxcon conferences - Invitation to all BreakPoint and Ruxcon parties - Unlock 'Presented on world's smallest continent' achievement * All speaker benefits apply to a single speaker per submission. b p .____. --|-r--o-| _|_______________---------------------------------------------|- | e i | \_ \ _ / Contact | -|-a--n-|_________/ /_____\---------------------------------------------|-- k t |____| If you have any questions or queries, contact us at: * Email: bpx <at> ruxconbreakpoint.com * Twitter <at> ruxconbpx ______________________________________________________________ _._) presented by (_._ | .%$$% .. | ' __________. ._____ ________.&&$ '$$%$.__________ ' ._\ /___.___\ \_____/ ____/$ &&$\ /_ -:-\ \_____\ | /____/ /________\'$#%. .$&&'/____/ /-:- /____/ \________/ \____\ ' %$$$%' /_____/ . www.ruxcon.org.au . _|_ _|_ '(______________________________________________________________)' ~ ascii by ozzy ~

Gmane