Josh's Blog

Entries from February 2007

Monday, February 26. 2007

Security Week in Review (2007-02-18)

Last week was an insanely busy week. There was a critical Ekiga flaw discovered along with a Firefox update on Friday.

The Ekiga flaw was dropped on us from the blue. When Red Hat discovers a critical 0day flaw such as this, we drop everything and make it our top priority. It turned out that if a user is running Ekiga and can receive a call, it would be possible to execute arbitrary code as that user. The scariest thing about this flaw is that the victim doesn't need to do anything other than have Ekiga running.

The Firefox update was on a Friday. This was the choice of upstream, they decided it was worth doing a Friday update since there were a number of public flaws this update fixes. We don't usually like to release major updates right before a weekend, but given the high profile nature of the flaw, we felt it was worth doing. While it made for a long Friday, it was easily worth it.

Security Updates
I expect the month of PHP bugs to start next week. I'm not sure what it will bring, but the Red Hat Security Response Team is as prepared as we can be for this. Hopefully next week's review will be boring. I doubt it, but a little hope never hurts.
Posted by Josh Bressers in Security Week in Review at 00:00 | Comments (0) | Trackbacks (0)

Sunday, February 18. 2007

Security Week in Review (2007-02-11)

It's been a very busy and crazy week for me. I had family emergency, which means I've not had time to put together a proper commentry. This week I'll only list the various security updates.

Security Updates
Posted by Josh Bressers in Security Week in Review at 23:00 | Comments (0) | Trackbacks (0)

Sunday, February 11. 2007

Security Week in Review (2007-02-04)

PHP 5.2.1 was released last week:
http://www.php.net/releases/5_2_1.php

The release notes are rather poor if you wish to determine what the actual impact of the security fixes are. The thing that scares me the most is this comment from Stefan Esser's blog
http://blog.php-security.org/archives/71-Month-of-PHP-Bugs-and-PHP-5.2.1.html


Today PHP 5.2.1 was released which fixes some (but not all) of the bugs I will cover in the "Month of PHP bugs". Actually the release announcement already gives a list of bugs that were fixed. As usual the release announcement gives too little information about the bugs, does describe several bugs wrongly, forgets some security bugs that were fixed, downplays the seriousness of the bugs and does not give a single line of credit.


Stefan also plans on conducting a "Month of PHP bugs" type project. I'm rather worried that this will place a great many users at risk and not solve the fundamental issue of PHP upstream not taking security seriously. No matter what happens, Red Hat will take this in stride and do whatever it takes to keep our users as secure as possible.

Security Updates
Posted by Josh Bressers in Security Week in Review at 23:00 | Comments (0) | Trackbacks (0)

Sunday, February 4. 2007

Security Week in Review (2007-01-28)

I really have nothing much to say about this week. The biggest thing to happen is probably a new version of Wireshark. Wireshark 0.99.5 was released on Thursday. It only fixes some minor crashing bugs. There was once a time when Wireshark (then Ethereal) had a rather poor security record. It has improved significantly over the last few years.

The Super Bowl is on tonight, so I think I'll keep things short.

Security Updates
Posted by Josh Bressers in Security Week in Review at 23:00 | Comments (0) | Trackbacks (0)
(Page 1 of 1, totaling 4 entries)

Calendar

Back February '07 Forward
Sun Mon Tue Wed Thu Fri Sat
        1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28      

Quicksearch

Archives

November 2008
October 2008
September 2008
Recent...
Older...

Categories



All categories

Syndicate This Blog

Blog Administration

Open login screen

Powered by

Serendipity PHP Weblog