Security issues: How do users, maintainers and developers work together? Exemple: Opera 10.60 issues

WAS: openSUSE 11.3 herunterladen : Update auf Opera 10.61 offenbar auch relevant für Sicherheit

Did anything go wrong and if: why? as

  • security issues in Opera 10.60 were published by Opera on ??? [1a][1b][1c]
  • get fixed by Opera on 12-Aug-2010 [2]
  • get noticed by openSUSE users around 18-Aug-2010 [3]
  • get fixed in the openSUSE repositories on the 24-August-2010 [4]
  • get described in the security newsletter of the 25-August-2010 [5]
    ?

About two weeks for the way of the package from the original vendor to the openSUSE repository user.
Is this the normal speed of a process with relation to security like that?

Regards
pistazienfresser

Foodnotes/References

[1a] Advisory: Heap buffer overflow in HTML5 canvas can be used to execute arbitrary code - Opera Knowledge Base
[1b] Advisory: Unexpected changes in tab focus can be used to run programs from the Internet - Opera Knowledge Base
[1c] Advisory: News feed preview can subscribe to feeds without interaction - Opera Knowledge Base
[2] Opera: Opera 10.61 for UNIX changelog (Release notes* : Release date: August 12, 2010*) " Security Fixes * Fixed an issue where heap buffer overflow in HTML5 canvas could be used to execute arbitrary code, as reported by Kuzzcc; see our advisory. * Fixed an issue where unexpected changes in tab focus could be used to run programs from the Internet, as reported by Jakob Balle and Sven Krewitt of Secunia; see our advisory. * Fixed an issue where news feed preview could subscribe to feeds without interaction, as reported by Alexios Fakos; see our advisory."
[3] openSUSE 11.3 herunterladen (fist posting, beginning of the thead)
[4a] Index of /update/11.2/rpm/i586
with " opera-10.61-0.1.1.i586.rpm 24-Aug-2010 13:42 12M Mirrors Metalink
[4b] openSUSE 11.3 herunterladen
[5] openSUSE-SU-2010:0540-1 (important): opera: version 10.61 fixes various vulnerabilities (25. August 2010 - 03:08:14 UTC)

They weren’t critical vulnerabilities and had no exploits in the wild, they were suspected that they might be used to execute code but there wasn’t even a “proof-of-exploit” available.

Thanks for the clarification, Chrysantine. “Severity High” of the lately
cited Opera warning[1a] had not a funny sound for me
but I had to admit I did no further reseach on that issue.

@ all:
Does anyone how to act to speed up a update related on a (not by
personal experience) know security issue without being able to maintain
by myself?
A fake bugreport?

Opera 10.62 of 2010-09-09 seems to fix no security issues at all.[6]

But how could I speed things up in a case like my Mozilla
Thunderbird 3.0.6 or my Mozilla Firefox 3.6.8?[7][8][9][10]

Regards
pistazienfresser

Footnotes

[1a] Browser Problems? We can help you! | Help & FAQ | Opera

[6]How can we help you? - Opera Help

[7]Miscellaneous memory safety hazards (rv:1.9.2.9/ 1.9.1.12) — Mozilla
"Title: Miscellaneous memory safety hazards (rv:1.9.2.9/ 1.9.1.12)
Impact: Critical
Announced: September 7, 2010
Reporter: Mozilla developers and community
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 3.6.9 Firefox 3.5.12 Thunderbird 3.1.3 Thunderbird
3.0.7 SeaMonkey 2.0.7"

[8] Mozilla Thunderbird Bugs Let Remote Users Conduct Cross-Site
Scripting Attacks, Obtain Potentially Sensitive Information, and Execute
Arbitrary Code SecurityTracker; SecurityTracker URL:
http://securitytracker.com/id?1024403
(2010-09-08)
"Impact: A remote user can create a HTML that, when loaded by the
target user, will execute arbitrary code on the target user’s system.

A remote user can access the target user’s cookies (including
authentication cookies), if any, associated with the target site, access
data recently submitted by the target user via web form to the site, or
take actions on the site acting as the target user.

A remote user can obtain potentially sensitive information.
Solution: The vendor has issued a fix (3.0.7, 3.1.3).
"
[9] Mozilla Firefox DLL Loading Error Lets Remote Users Execute
Arbitrary Code; SecurityTracker URL:
http://securitytracker.com/id?1024406
(2010-09-08)

[10] Mozilla Firefox Bugs Let Remote Users Conduct Cross-Site Scripting
Attacks, Obtain Potentially Sensitive Information, and Execute Arbitrary
Code, SecurityTracker URL:
http://securitytracker.com/id?1024401
(2010-09-08)

  • openSUSE 11.2 with GNOME 2.28.2 (or KDE 4.3.5) and Kernel Linux
    2.6.31.14-7-desktop (or 2.6.31.12-0.2-pae -default, Ubuntu 10.4
    2.6.33-24-genetic, MS Win XP)
  • Samsung X20 Pentium M 740 (1730 MHz) Intel 915GM 1400x1050
  • openSUSE profile: https://users.opensuse.org/show/pistazienfresser

Report to the mailing list,

openSUSE:Mailing lists - openSUSE

For Thunderbird or Firefox, report to opensuse-factory-mozilla.

They may tell you to report a bug:

https://bugzilla.novell.com/index.cgi

There is no easier way? I am not subscribed to every of the (80-100?) openSUSE mailing lists and so not know which one is open without (at least) first confirming my email-address seperately.

So apart from this special mozilla issue:

it seems to be a case for the project or the “project-and-organisation-bugzilla”.

Regards

pistazienfresser

Then report a bug. Personally, I have a mail account dedicated to lists, and it’s easy to subscribe/unscribe at any time.

Thanks, chief_sealth, for your suggestions. I followed the one from your posting before and used the factory-mozilla mailinglist.

@all

(1)
To the concrete problem with Mozilla programs, you may look at:
http://lists.opensuse.org/opensuse-factory-mozilla/2010-09/msg00000.html
I subscribed with access only ( opensuse-factory-mozilla+subscribe-nomail@opensuse.org ) and forwarded the my posting/message here from the forums with the sources.

(2)
Back form the (second) example to the topic:

(2.1)
I think a option like all-mozilla+subscribe-nomail@opensuse.org to get access to all the 80-100 mailing lists at once would be fine.
(2.2)
Is there a special bugzilla formular “Bugs confirmed by Vendor” or/and “public known bugs” or short bugzilla way to to do things like that?
(2.3)
Could and should the security letters etc. of the different vendors be automatically forwarded to the according special openSUSE mailing lists?

Regards
pistazienfresser

On 2010-09-10 10:00, pistazienfresser wrote:

> @ all:
> Does anyone how to act to speed up a update related on a (not by
> personal experience) know security issue without being able to maintain
> by myself?
> A fake bugreport?

A real bug report :slight_smile:

You can ask in the security mail list. That’s where I usually start with such things.

By the way: you can read probably all suse mail lists via gmame, using nntp. I think you don’t need
a subscription for read access, but you need a real mail address before you can post - which has to
be subscribed to the real mailing list. I don’t know if gmame does the subscription for you, but
they verify your address is subscribed before they allow you to post, IIRC.

(I don’t have a link ready, I’m off the net at the moment).


Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 “Emerald” GM (Minas Tirith))

Hm. Was already a bug report opened on
12-Aug-2010 15:05 UTC
Bug 630771 - VUL-0: opera: version 10.61 fixes three security bugs
https://bugzilla.novell.com/show_bug.cgi?id=630771

But this report was just not on the downloading failure issue like
Bug 633816 - Opera 10.60 opens an ISO file as html or text instead to start the download
https://bugzilla.novell.com/show_bug.cgi?id=633816
of the 23-Aug-2010 19:46:31 UTC

Puzzeled
pistazienfresser

https://bugzilla.novell.com/show_bug.cgi?id=639552

Regards
pistazienfresser

Bug 639552 - VUL-0: Mozilla Firefox 3.6.8 a. o.: version 3.6.9 and 3.5.12 fixes security bug Cross-Site Scripting Attacks, Obtain Potentially Sensitive Information, and Execute Arbitrary Code (related: Thunderbird 3.1.2 Thunderbird 3.0.6 SeaMonkey 2.0.6 )

…]*** This bug has been marked as a duplicate of bug 637303 ***

:sarcastic:
But that duplicate is very, very secret:
https://bugzilla.novell.com/show_bug.cgi?id=637303

Access Denied
You are not authorized to access bug #637303.
Seems to be a known bug for some time but to the openSUSE users hidden.

So Novell/openSUSE are ‘hiding’ an already known, published and by the vendor affirmed security bug.
/:sarcastic:
Just hiding the discussion not the title seems to me a obvious solution.

Seems also the hidden bug report was filed a bit after
Mon, 6 Sep 2010 09:23:09 +0000 (Bug 637294 [Bug 637294] New: accessibility issues with Yast checkboxex and radio bu](http://lists.opensuse.org/opensuse-bugs/2010-09/msg00726.html) ).

A commit to factory for 3.6.9
came on the 10 Sep 2010:
commit MozillaFirefox for openSUSE:Factory

± security update to 3.6.9 (bnc#637303) …]
The hole bug report systems seems to me a bit illogical (a bug in the bugzilla system?).

On the concret example I am actually happy

The Mozilla Firefox 3.6.9 was freezing if I let it play with some unstable vlc player stuff:
https://bugzilla.novell.com/show_bug.cgi?id=639720

Today I am actually happy with Firefox 3.6.10 and the older stable version of vlc but I do not really get the sense in hiding bug reports on known and affirmed issues and security messages weeks after the bug is published and when the software is already offering me this informations (and the patch)…

But not happy on the issue of this thread
Security issues: How do/should users, maintainers and developers work togeher?

I may add:

openness in opensuse?

puzzled
pistazienfresser

I’m not sure where you see a problem. The developers don’t visit the forums, but there are the mailing lists and the bug tracker to communicate. I would recommend joining the users’ mailing list (opensuse@opensuse.org), and possibly factory. This will give you direct communication with the developers.

(1)

One problem:

It would be nice to inform a openSUSE user of a confirmed security related bug when it is actual of interest.

Not only after the bug has just been fixed automatically and weeks after it has been confirmed by others and published by the vendors. In that ladder state/on that later date a so called “opensuse-security-announce” may be of historical interest or something like that.

And if a user would search for an issue like that on the bugzilla he would not be able to see it or even information about its existence as it would be not openly discussed or even announced but in a closed and hidden thread.

But as *(http://lists.opensuse.org/opensuse-factory-mozilla/2010-09/msg00006.html) in the already mentioned thread:
if I really think about trying to change I should try to start a discussion on the project or the security or an other mailing list or/and make a bug report in and on bugzilla.

To the the initial question how do users, maintainers and developers work together on issues like that and to the related question: if at all:. For my part I got something like an answer to that questions.

(2)

(2.1)
If this should be a suggestion to that I should just use or subscribe to one or more other mailinglists:
I think I have subscribed already to all the named and some more mailinglists and sometimes I even write something to them: compare Search the openSUSE Mailinglist Archive . If someone searches in all mailing lists for “Firefox 3.6.9”](http://lists.opensuse.org/cgi-bin/search.cgi?list=all&query=“Firefox%203.6.9”) she or he will get one of my mails as 3rd of 14 results; searching for Mozilla+Security+“3.6.9” gives one of my mails and postings as 4th of 8.

And I do not see the relation of that recommendation to the issue of this thread or with the two given examples. As shown above (compare given links) I used mailinglists and the bugzilla.

(2.2)
If that should be an answer to the initial question -
Yes, I think that may describe that given status.

The next time I will just think of bugzilla first -
I will use it myself if I see a proven security bug with software
or will engage an other user to do so if she or he sees a problem that is probably not only user behavior related.

Kind Regards
pistazienfresser*

On 2010-09-16 14:36, pistazienfresser wrote:

>> …]*** This bug has been marked as a duplicate of ‘bug 637303’

>> Access Denied
>> You are not authorized to access bug #637303. Seems to be a known bug for some time but to the openSUSE users hidden.

Yes, that’s a known issue with the bugzilla system. By default, a security bug has the “private”
flag activated, so that only employees and the reporter can see it. I always deactivate it, unless
I’m attaching logs with private info.

In your case: just reopen the first bug with the complain that the second bug is private. That’s the
proper procedure, IMO. If that report has really to be kept private, then you can make one bug
resolution depend on another bug, to force them to report the final resolution on both, and then
close both.

If you get no response, ask in the security mail list.

No response, another mail list, perhaps the general one. It depends on the problem.


Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 “Emerald” GM (Elessar))