Dear debian-doc, The current "Security Infrastructure" section of the Securing Debian Manual is quite out of date. I have attached a patch that makes a number of changes to better reflect the current situation. I don't think the section is perfect yet, so feel free to improve more, but I do believe it gets significantly better with this patch. Perhaps the most important change is the removal of the part "Developer's guide to security updates". As it was noted in the manual already, this section should be removed as the canonical place is the developer's reference, and the section is not quite complete. Please consider to apply this. If you have questions about any of the changes feel free to contact me. thanks, Thijs
Index: en/infrastructure.sgml =================================================================== --- en/infrastructure.sgml (revision 5766) +++ en/infrastructure.sgml (working copy) @@ -4,8 +4,7 @@ <sect id="debian-sec-team">The Debian Security Team -<p>Debian has a Security Team, made up of five members and two -secretaries who handle security in the <em>stable</em> +<p>Debian has a Security Team, that handles security in the <em>stable</em> distribution. Handling security means they keep track of vulnerabilities that arise in software (watching forums such as Bugtraq, or vuln-dev) and determine if the <em>stable</em> @@ -14,25 +13,14 @@ <p>Also, the Debian Security Team is the contact point for problems that are coordinated by upstream developers or organizations such as <url id="http://www.cert.org"; name="CERT"> which might affect multiple -vendors. That is, when problems are not Debian-specific. There are two -contact points with the Security Team: - -<list> - -<item><url id="mailto:team@security.debian.org"; +vendors. That is, when problems are not Debian-specific. The contact +point of the Security Team is <url id="mailto:team@security.debian.org"; name="team@security.debian.org"> which only the members of the security team read. -<item><url id="mailto:security@debian.org"; name="security@debian.org"> -which is read by all Debian developers (including the security -team). Mails sent to this list are not published in the Internet (it's -not a public mailing list). - -</list> - <p>Sensitive information should be sent to the first address and, in some cases, should be encrypted with the Debian Security Contact key -(key ID 363CCD95). +(as found in the Debian keyring). <p>Once a probable problem is received by the Security Team it will investigate if the <em>stable</em> distribution is affected and if it @@ -40,7 +28,7 @@ include backporting the patch made upstream (which usually is some versions ahead of the one distributed by Debian). After testing of the fix is done, new packages are prepared and published in the <url -id="security-master.debian.org"> site so they can be retrieved through +id="security.debian.org"> site so they can be retrieved through <prgn>apt</prgn> (see <ref id="security-update">). At the same time a <em>Debian Security Advisory</em> (DSA) is published on the web site and sent to public mailing lists including <url @@ -57,7 +45,7 @@ vulnerability is discovered that affects a Debian package. These advisories, signed by one of the Security Team members, include information of the versions affected as well as the location of the -updates and their MD5 sums. This information is: +updates. This information is: <list> <item>version number for the fix. @@ -70,8 +58,8 @@ </list> -<p>DSAs are published both in <url id="http://www.debian.org/"; -name="Debian's mainserver frontpage"> and in the <url +<p>DSAs are published both on <url id="http://www.debian.org/"; +name="Debian's frontpage"> and in the <url id="http://www.debian.org/security/"; name="Debian security pages">. Usually this does not happen until the website is rebuilt (every four hours) so they might not be present immediately. The preferred @@ -109,11 +97,10 @@ and <url id="http://www.kb.cert.org/vuls"; name="US-CERT Vulnerability Notes Database"> as well as CVE names (see below). These references are provided for convenience use, but only CVE references are -periodically reviewed and included. This feature was added to the -website on June 2002. +periodically reviewed and included. -<p>One of the advantages of adding cross references to these -vulnerability databases is that: +<p>Advantages of adding cross references to these +vulnerability databases are: <list> <item>it makes it easier for Debian users to see and track which @@ -162,26 +149,14 @@ deployed regardless of whether or not they are based on the Debian distribution. -<p>Debian started adding CVE names to DSAs in June 2002, and now -provides CVE names for all DSAs released since September 1998 after a -review process started on August 2002. All of the advisories can be +<p>Debian +provides CVE names for all DSAs released since September 1998. +All of the advisories can be retrieved on the Debian web site, and announcements related to new vulnerabilities include CVE names if available at the time of their release. Advisories associated with a given CVE name can be searched -directly through the <url id="http://search.debian.org/"; name="search engine">. +directly through the Debian Security Tracker (see below). -<p>Users who want to search for a particular CVE name can use the web -search engine available in debian.org to retrieve advisories available -(in English and translated to other languages) associated with CVE -names. A search can be made for a specific name (like advisory <url -id="http://search.debian.org/?q=advisory+%22CAN-2002-0001%22&ps=50&o=1&m=all"; -name="CAN-2002-0001">) or for partial names (like all the 2002 -candidates included in advisories search for <url -id="http://search.debian.org/?q=advisory+%22CAN-2002%22&ps=50&o=1&m=all"; -name="CAN-2002">). Notice that you need to enter the word "advisory" -together with the CVE name in order to retrieve only security -advisories. - <p>In some cases you might not find a given CVE name in published advisories, for example because: @@ -198,6 +173,24 @@ </sect> +<sect>Security Tracker + +<p>The central database of what the Debian security teams know about +vulnerabilities is the <url +id="http://security-tracker.debian.net"; +name="Debian Security Tracker">. It cross references packages, +vulnerable and fixed versions for different suites, CVE names, +Debian bug numbers, DSA's and miscellaneous notes. It can be +searched, e.g. by CVE name to see which Debian packages are affected +or fixed, or by package to show unresolved security issues. +The only information missing from the tracker is confidential +information that the security team received under embargo. + +<p>The package <prgn>debsecan</prgn> uses the information in the +tracker to report to the administrator of a system which of the +installed packages are vulnerable, and for which updates are +available to fix security issues. + <sect>Debian Security Build Infrastructure <p>Since Debian is currently supported in a large number of @@ -206,20 +199,8 @@ matter of fact, except for rare circumstances, updates are available to all architectures at the same time. -<p>While previously the task to build security updates was done by -hand, it is currently not (as Anthony Towns describes in -<url id="http://lists.debian.org/debian-devel-announce/2002/debian-devel-announce-200206/msg00002.html"; name="a mail"> -sent to the debian-devel-announce mailing list dated 8th June -2002). - -<p>Packages uploaded by the security team (to <url -id="ftp://security-master.debian.org:/org/security.debian.org/queue/unchecked";> or -<url id="ftp://security-master.debian.org/pub/SecurityUploadQueue";>) -with an appropriate patch are checked for signatures withing fifteen -minutes of being uploaded. Once this is done they get added to the -list of the autobuilders (which no longer do a daily archive -run). Thus, packages can get automatically built for <em>all</em> -architectures thirty minutes or an hour or so after they're uploaded. +<p>Packages in the security archive are autobuilt, just like the +regular archive. However, security updates are a little more different than normal uploads sent by package maintainers since, in some cases, before being published they need to wait until they can be tested further, an @@ -228,7 +209,7 @@ fix it. <p>Thus, the security upload archive works with the following -procedure (called <em>"Accepted-Autobuilding"</em>): +procedure: <list> @@ -269,7 +250,7 @@ <item>sets up a template advisory that the security team can finish off. -<item>(optionally) forwards the packages to the appropriate +<item>forwards the packages to the appropriate proposed-updates so that it can be included in the real archive as soon as possible. @@ -277,162 +258,12 @@ </list> -<p>This procedure, previously done by hand, was tested and put through -during the freezing stage of Debian 3.0 woody (July 2002). Thanks to this -infrastructure the Security Team was able to have updated packages -ready for the apache and OpenSSH issues for all the supported (almost -twenty) architectures in less than a day. +<p>Information for Debian Developers on dealing with security bugs +in their package and building updates for the +security archive can be found in the <url +id="http://www.debian.org/doc/developers-reference/pkgs.html#bug-security"; name="Developer's Reference">. -<sect1>Developer's guide to security updates - -<p>This mail was sent by Wichert Akkerman to the <url -id="http://lists.debian.org/debian-devel-announce/2002/debian-devel-announce-200206/msg00004.html"; -name="Debian-devel-announce mailing list"> in order to describe Debian -developer's behavior for handling security problems in their -packages. It is published here both for the benefit of developers as -well as for users to understand better how security is handled in Debian. - -<p>FIXME: Please note that the up to date reference for this information is -the <url id="http://www.debian.org/doc/manuals/developers-reference/ch-pkgs#s-bug-security"; name="Debian Developer's Reference">, this section will be -removed in the near future. - -<sect2>Coordinating with the security team - -<p>If a developer learns of a security problem, either in his package -or someone else's he should always contact the security team (at -team@security.debian.org). They keep track of outstanding security -problems, can help maintainers with security problems or fix them -themselves, are responsible for sending security advisories and -maintaining security.debian.org. - -<p>Please note that security advisories are only done for release -distributions, not for testing, unstable (see <ref id="sec-unstable">) -or older distributions (see <ref id="sec-older">). - -<sect2>Learning of security problems - -<p>There are a few ways a developer can learn of a security problem: - -<list> -<item>he notices it on a public forum (mailing list, website, etc.). -<item>someone files a bugreport (the <em>Security</em> tag should be -used, or added by the developer). -<item>someone informs him via private email. -</list> - -<p>In the first two cases the information is public and it is important -to have a fix as soon as possible. In the last case however it might -not be public information. In that case there are a few possible options -for dealing with the problem: - -<list> - -<item>if it is a trivial problem (like insecure temporary files) there is no - need to keep the problem a secret and a fix should be made and - released. - -<item>if the problem is severe (remote exploitable, possibility to gain root - privileges) it is preferable to share the information with other - vendors and coordinate a release. The security team keeps contacts - with the various organizations and individuals and can take care of - that. - -</list> - -<p>In all cases if the person who reports the problem asks to not -disclose the information that should be respected, with the obvious -exception of informing the security team (the developer should make -sure he tells the security team that the information cannot be -disclosed). - -<p>Please note that if secrecy is needed the developer can also not -upload a fix to unstable (or anywhere else), since the changelog -information for unstable is public information. - -<p>There are two reasons for releasing information even though secrecy -is requested/required: the problem has been known for too long, or -the information becomes public. - -<sect2>Building a package - -<p>The most important guideline when making a new package that fixes a -security problem is to make as few changes as possible. People are -relying on the exact behavior of a release once it is made, so any -change made to it can possibly break someone's system. This is -especially true of libraries: the developer must make sure he never -changes the API or ABI, no matter how small the change. - -<p>This means that moving to a new upstream version is not a good solution, -instead the relevant changes should be backported. Generally upstream -maintainers are willing to help if needed, if not the Debian Security -Team might be able to help. - -<p>In some cases it is not possible to backport a security fix, for -example when large amounts of source code need to be modified or -rewritten. If that happens it might be necessary to move to a new -upstream version, but it should always be coordinated with the security team -beforehand. - -<p>Related to this is another important aspect: developers must always -test your change. If there is an exploit the developer should try if -it indeed succeeds on the unpatched package and fails on the fixed -package. The developer should try normal usage as well, sometimes a -security fix can break normal use subtly. - -<p>Finally a few technical things for developers to keep in mind: - -<list> -<item>Make sure you target the right distribution in your debian/changelog. - For stable this is stable-security and for testing this is - testing-security. Do not target <codename>-proposed-updates. - -<item>Make sure the version number is proper. It has to be higher than the - current package, but lower than package versions in later - distributions. For testing this means there has to be a higher version - in unstable. If there is none yet (testing and unstable have the same - version for example) upload a new version to unstable first. - -<item>Do not make source-only uploads if your package has any binary-all - packages. The buildd infrastructure will not build those. - -<item>Make sure when compiling a package you compile on a clean system - which only has packages installed from the distribution you are - building for. If you do not have such a system yourself you - can try a debian.org machine (see http://db.debian.org/machines.cgi) - or set up a chroot (the <package>pbuilder</package> and - <package>debootstrap</package> packages can be helpful in that - case). - -</list> - -<sect2>Uploading security fixes - -<p>After the developer has created and tested the new package it needs to be -uploaded so it can be installed in the archives. For security uploads -the place to upload to is -ftp://security-master.debian.org/pub/SecurityUploadQueue/ . - -<p>Once an upload to the security queue has been accepted the package will -automatically be rebuilt for all architectures and stored for -verification by the security team. - -<p>Uploads waiting for acceptance or verification are only accessible by -the security team. This is necessary since there might be fixes for -security problems that cannot be disclosed yet. - -<p>If a member of the security team accepts a package it will be installed -on security.debian.org as well as the proper <codename>-proposed-updates -in ftp-master or non-US archive. - -<sect2>The security advisory - -<p>Security advisories are written and posted by the security team. However -they certainly do not mind if a maintainer can supply (part of) the text -for them. Information that should be in an advisory is described in -<ref id="dsa">. - - <sect id="deb-pack-sign">Package signing in Debian <p>This section could also be titled "how to upgrade/update safely
Attachment:
pgpyPIU4Z5rKM.pgp
Description: PGP signature