Hi everyone,
I was thinking that it might be good to create a page in the
audit webpages related to those security bugs that the security
audit team have opened up. Since some of the work of the security
team does not necesarily end up as DSAs, it might be a way to
show off that the security audit team is also helping up doing
Q&A of packages even before they get into the stable release.
Attached is a sample including some of the insecure temporary
file usage I have brought up to the security team and to package
maintainers through bugs. I have sent some more of them today
(that's why some are missing the bug number).
I actually told the security team of these bugs a long time ago
(this summer) but I have not been able to open up bug reports and follow
up on some of the issues until today. Notice that some of them
don't actually merit a DSA, even though there have been a few
DSAs recently (due to a Trustix audit) related to insecure temporary
filename usage.
Regards
Javier