Vulnerabilities in software happen. When they get fixed it’s up to the packager to make those fixes available to the systems using the software. Duplicating much of the response efforts that Red Hat Product Security performs for Red Hat products, the Fedora Security Team (FST) has recently been created to assist packagers get vulnerability fixes downstream in a timely manner.
At the beginning of July, there were over 500 vulnerability tickets open* against Fedora and EPEL. Many of these vulnerabilities already had patches or releases available to remedy the problems but not all. The Team has already found several examples of upstream not knowing that the vulnerability exists and was able to fix the issue quickly. This is one of the reasons having a dedicated team to work these issues is so important.
In the few short weeks since the Team was created, we’ve already closed 14 vulnerability tickets and are working another 150. We hope to be able to work in a more real-time environment once the backlog decreases. Staying in front of the vulnerabilities will not be easy, however. During the week of August 3rd, 27 new tickets were opened for packages in Fedora and EPEL. While we haven’t figured out a way to get ahead of the problem, we are trying to deal with the aftermath and get fixes pushed to the users as quickly as possible.
Additional information on the mission and the Team can be found on our wiki page. If you’d like to get involved please join us for one of our meetings and subscribe to our listserv.
* A separate vulnerability ticket is sometimes opened for different versions of Fedora and EPEL resulting in multiple tickets for a single vulnerability. This makes informing the packager easier but also inflates the numbers significantly.