[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

developer's guide to security updates

A couple of developers have asked how to work with the new security
infrastructure that is being introduced. In order to answer these
questions the security team would like to introduce this document,
the developer's guide to security updates.

One note: this document says you have to upload security fixes
to security.debian.org. At this moment that is not true:
security.debian.org is still hosted on pandora and will be moved to
satie once the new security infrastructure has been fully tested.
Until that moment please upload to satie.debian.org instead.



Welcome to the developer's guide to security updates.

This document contains guidelines for Debian developers for handling
security problems in their packages. As usual with guidelines not
everything is written down or set in stone, use common sense where needed.

Coordinating with the security team

If you learn of a security problem, either in your package or someone
else's please always contact the security team. You can reach them
via email at team@security.debian.org. They keep track of outstanding
security problems, can help maintainers with security problems or fix
them themselves, are responsible for sending security advisories and
maintaining security.debian.org.

Please note that security advisories are only done for release
distributions, not for testing or unstable. 

Learning of security problems

There are a few ways a developer can learn of a security problem:
* he notices it on a public forum (mailing list, website, etc.)
* someone files a bugreport
* someone informs him via private email

In the first two cases the information is public and it is important
to have a fix as soon as possible. In the last case however it might
not be public information. In that case there are a few possible options
for dealing with the problem:

* if it is a trivial problem (like insecure temporary files) there is no
  need to keep the problem a secret and a fix should be made and

* if the problem is severe (remote exploitable, possibility to gain root
  privileges) it is preferable to share the information with other
  vendors and coordinate a release. The security team keeps contacts
  with the various organizations and individuals and can take care of

In all cases if the person who reports the problem asks to not disclose
the information that should be respected, with the obvious exception
of informing the security team (make sure you tell the security team
that the information can not be disclosed).

Please note that if secrecy is needed you can also not upload a fix
to unstable (or anywhere else), since the changelog information for
unstable is public information

There are two reasons for releasing information even though secrecy
is requested/required: the problem has been known for too long, or
the information becomes public.

Building a package

The most important guideline when making a new package that fixes a
security problem is to make as few changes as possible. People are
relying on the exact behaviour of a release once it is made, so any
change we make can possibly break someone's system. This is especially
true of libraries: make sure you never change the API or ABI, no matter
how small the change.

This means that moving to a new upstream version is not a good solution,
instead the relevant changes should be backported. Generally upstream
maintainers are willing to help if needed, if not the Debian security
team might be able to help.

In some cases it is not possible to backport a security fix, for example
when large amounts of sourcecode need to be modified or rewritten. If
that happens it might be necessary to move to a new upstream version,
but always coordinate that with the security team beforehand.

Related to this is another import aspect: always test your change. If
you have an exploit try if it indeed succeeds on the unpatched package and
fails on the fixed package. Try normal usage as well, sometimes a
security fix can break normal use subtly.

Finally a few technical things to keep in mind:

* Make sure you target the right distribution in your debian/changelog.
  For stable this is stable-security and for testing this is
  testing-security. Do not target <codename>-proposed-updates!

* Make sure the version number is proper. It has to be higher than the
  current package, but lower than package versions in later
  distributions. For testing this means there has to be a higher version
  in unstable. If there is none yet (testing and unstable have the same
  version for example) upload a new version to unstable first.

* Do not make source-only uploads if your package has any binary-all
  packages. The buildd infrastructure will not build those.

* Make sure when compiling a package you compile on a clean system
  which only has package installed from the distribution you are
  building for. If you do not have such a system yourself yourself you
  can try a debian.org machine (see http://db.debian.org/machines.cgi)
  or setup a chroot (the pbuilder and debootstrap packages can be
  helpful in that case).

Uploading security fixes

After you have created and tested the new package it needs to be 
uploaded so it can be installed in the archives. For security uploads
the place to upload to is
ftp://security.debian.org/pub/SecurityUploadQueue/ .

Once an upload to the security queue has been accepted the package will
automatically be rebuilt for all architectures and stored for
verification by the security team.

Uploads waiting for acceptance or verification are only accessible by
the security team. This is necessary since there might be fixes for
security problems that can not be disclosed yet.

If a member of the security team accepts a package it will be installed
on security.debian.org as well as the proper <codename>-proposed-updates
in ftp-master or non-US archive.

The security advisory

Security advisories are written and posted by the security team. However
they certainly do not mind if a maintainer can supply (part of) the text
for them. Information that should be in an advisory includes:

* version number for the fix
* problem type
* remote or locally exploitable
* short description of the package
* description of the problem
* description of the exploit
* description of the fix

 /wichert@wiggy.net         This space intentionally left occupied \
| wichert@deephackmode.org            http://www.liacs.nl/~wichert/ |
| 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0  2805 3CB8 9250 2FA3 BC2D |

Attachment: pgpdkxBlj531p.pgp
Description: PGP signature

Reply to: