User:Ajak/Security Notes

I do a bit of security bug wrangling for Gentoo. Here are some quirks with upstreams and other things related to that I think it would be useful to document. For most of the software mentioned here, release announcement mailing lists and other announcement methods can be found on Sam's release announcement page.

Oracle CPU Advisories
Oracle provides quarterly critical patch updates for their software. The advisories for these announce vulnerabilities discovered in their software (example). Gentoo carries several of these softwares, including several of their forks which are generally vulnerable to the same vulnerabilities. They will need bugs filed if affected by any announced vulnerabilities:

Java
We don't have dev-java/oracle-{jre,jdk}-bin themselves in tree anymore (bug 732630, bug 717638), but we still have dev-java/icedtea{,-bin} and dev-java/openjdk{,-jre-bin,-bin}.

Virtualbox
No surprises here, app-emulation/virtualbox.

MySQL
Not only can there be vulnerabilities in dev-db/mysql itself, but also sometimes and dev-db/mysql-connector-c{,++}.

It has a couple forks and their own associated softwares too: dev-db/percona-server, dev-db/mariadb{,-connector-c}. Not all of the issues affecting MySQL will affect MariaDB, so generally we should wait until MariaDB upstream makes their own advisory before making the MariaDB bug, as annoying as that may end up being with mangling trackers.

Misc
MITRE is typically the catchall assigner for CVEs. Almost always, if a piece of software is not covered by a CNA, CVEs for that software are assigned and updated by MITRE. Recently however, MITRE has apparently offloaded some of this responsibility onto RedHat for certain software. In practice, this means CVE update requests sent to MITRE for certain software will be met with a response to direct the request to secalert AT redhat.com, even if the CVE was originally assigned by MITRE. Affected software discovered so far are dev-db/postgresql and dev-lang/python.