Bug details: ** https://bugzilla.redhat.com/show_bug.cgi?id=2064453 ** Information from BlockerBugs App:
The votes have been last counted at 2022-03-17 00:23 UTC and the last processed comment was #comment-786298
To learn how to vote, see: https://pagure.io/fedora-qa/blocker-review A quick example: BetaBlocker +1 (where the tracker name is one of BetaBlocker/FinalBlocker/BetaFE/FinalFE/0Day/PreviousRelease and the vote is one of +1/0/-1)
BetaBlocker +1
BetaBlocker
FinalBlocker
BetaFE
FinalFE
0Day
PreviousRelease
+1
0
-1
BetaBlocker +1 We cannot ship a release with a know CVE from January, and now another one.
I agree. If serious security issues can be avoided, we should do it.
FinalBlocker +1 BetaFE +1 BetaBlocker -1
(Edited to update based on adam's correction)
imo, this is ideal candidate waiver via our late blocker policy
Did anyone bother to check the criteria?
The security criterion is Final, not Beta, and that was a conscious choice: the logic is that you're not supposed to run betas in production, so security requirements should apply to final.
Please do check the criteria before voting, we have them for a reason.
BetaBlocker -1 BetaFE +1 FinalBlocker +1
Fair enough @adamwill :)
AGREED AcceptedFinalBlocker AGREED AcceptedBetaFE
The following votes have been closed:
The security criterion applies to issues that "cannot be satisfactorily resolved by a package update (e.g. issues during installation)." But this one can be fixed easily enough by updating OpenSSL. Looking at the impact of this issue, the serious risk here is a denial of service attack (infinite loop) against OpenSSL servers when client certificate verification is enabled, which is not relevant to our installation or live environments (nobody should be running servers from the beta live environment). It's certainly not great for OpenSSL clients either, but hanging a client seems more like a moderate-impact issue, not important impact. I suppose a malicious NTP server or package mirror could try to use this to hang anaconda in an infinite loop, which would be unfortunate, but I think life goes on if this happens.
I don't want to downplay the seriousness of "oops, we forgot to update OpenSSL for six months", but it doesn't fit the security criterion.
BetaBlocker -1 BetaFE -1 FinalBlocker -1
Oh oops, I see I'm too late. Well whatever.
You're not too late for the Beta blocker vote, that's still open. Your point makes a good deal of sense for FE, too, honestly - I'll keep it in mind and we can re-open that vote if others are persuaded by it.
BetaBlocker -1 BetaFE +1
Metadata Update from @blockerbot: - Issue status updated to: Closed (was: Open)
Release F36 is no longer tracked by BlockerBugs, closing this ticket.
Log in to comment on this ticket.