Re: Team to patch vulnerabilities

To: Consti75 <consti75@gmx.de>
Cc: debian-security@lists.debian.org
Subject: Re: Team to patch vulnerabilities
From: Drew Scott Daniels <umdanie8@cc.UManitoba.CA>
Date: Mon, 28 Apr 2003 10:43:26 -0500 (CDT)
Message-id: <[🔎] Pine.GSO.4.40.0304281028500.28883-100000@mira.cc.umanitoba.ca>
Mail-followup-to: Drew Scott Daniels <umdanie8@cc.umanitoba.ca>
In-reply-to: <[🔎] 3EACDD54.40902@gmx.de>

Sure, start by looking at http://qa.debian.org/bts-security.html and
reading through the comments. I'm looking to have patches for potato,
woody and sarge for all the bugs listed there. The first step is to verify
the bug, the next is to check whether the bug is in other distributions
(potato, woody...). After that, check for upstream and 3rd party patches
(redhat?) or look at the differences between fixed and unfixed source
(sometimes this is fairly easy with CVS, sometimes it's hard when there's
several non RC changes done at the same time). Sometimes by looking at the
source you can tell whether a program is vulnerable or not. Checking for
upstream and 3rd party information like on securityfocus.com, packetstorm
or other places can be useful.

Reading through the Security Team FAQ under http://security.debian.org is
probably a good idea. Reading the documentation for Developers under
http://www.debian.org/devel can be useful too. It is very important to
know how the BTS works...

It is my understanding that bug reports and additional information are
sent to the "maintainer" address only, so additional information should be
cc'd to interested people. Bugs should only be closed by the submitter or
maintainer... if they don't reply within about 10 days for information
about a security bug that's already in the BTS, inquire elsewhere about
the bug (perhaps here?). Tags potato, woody, sarge and sid are still not
totally understood by me, but they should be used appropriately. Don't
submit information that you are only speculating on such (eg, don't say
potato must be vulnerable without checking first, potato doesn't even
have some packages or features).

I'm amazed at the speed and quantity of responses. It's clear to me that
some more co-ordination is needed. I will be working on a strategy to keep
this team together and doing valuable work.

I'll be posting some kind of rough plan before the week is over. For now,
just use the BTS and contribute as best as you can.

     Drew Daniels

On Mon, 28 Apr 2003, Consti75 wrote:

> Hi,
> I would like to help, but don't really
> know how to start and what regulation etc.
> there are! Can you help me getting
> started?
> Best regards,
> Constantin
>
> Drew Scott Daniels wrote:
>
> >Hi,
> >There are a large number of security issues discussed in the BTS.
> >http://qa.debian.org/bts-security.html lists almost all of them. I'm
> >looking at them and trying to create patches for some and bring them to
> >the attention of the appropriate parties. Any help would be appreciated.
> >
> >The security team has been releasing advisories like crazy and they seem
> >very overworked. If non security team people can help patch known security
> >issues, then Debian, and OpenSource software would be even more secure.
> >There are other social benefits too...
> >
> >I've been looking at creating a security audit team, but it looks like far
> >more help is needed to patch known problems.
> >
> >     Drew Daniels
> >
> >
> >
> >
>
>
>

Reply to:

References:
- Re: Team to patch vulnerabilities
  - From: Consti75 <consti75@gmx.de>

Prev by Date: Re: Apache http server 2.0
Next by Date: Port forwarding wrong after days
Previous by thread: Re: Team to patch vulnerabilities
Next by thread: Information in DSAs on necessary restarts due to library-security-updates
Index(es):
- Date
- Thread