From Gentoo Wiki
< User:SamJump to:navigation Jump to:search
This page is intended to provide useful resources for performing security project work in Gentoo (e.g. identifying vulnerable packages, finding bugs to triage).
I started a list of such packages.
See this page for sources of new release information.
- Note that it's very easy for a bug to get 'stuck' in one of these states, especially [upstream/ebuild] and [upstream].
- We need to check the references and/or ask the maintainer what their plans are if a patch exists.
- Waiting for an ebuild (upstream have released a fixed version)
- Patch available may want to wait for new release (ask maintainer)
- Waiting for upstream (may have been fixed since last checked, meaning we may change to upstream/ebuild or ebuild if a release was made)
- Waiting to stable (maintainer may or may not have told us to wait, sometimes we need to ping and ask if no comment from them and been a little while)
- Stabilisation (note that sometimes we need to ping arches if it's been a while, sometimes people forget to change the whiteboard to this, or sometimes stable is done and we need to change to cleanup)
Note that Repology isn't necessarily accurate: we may have patched vulnerabilities or already have open bugs, but it's a good sanity check.
We may need to create bugs for issues flagged up by this.
- Potentially vulnerable
- Potentially vulnerable and out of date
- maintainer-needed packages (all, not necessarily vulnerable, but it is particularly worth checking the ChangeLog for these)
- maintainer-needed (potentially vulnerable)