[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Proposal/suggestion for security team w.r.t. published vulerabilities


As I promised in [1], a suggestion for the Debian security team.

Since the security team is generally very busy sorting out any kind of
vulnerability, sometimes fixes can take a little bit longer than usual,
especially if the impact is relatively low.

Taking the Social Contracts 'We will not hide problems', and those
vulerabilities that have already been made public, I think it'd be a
good idea if the security team, once a vulnerability is already made
public, for example via a Bugtraq or something, or some other
vendor/upstream announced it, files a bug (tag woody usually I guess) in
the BTS about it. There is no longer reason to hide the problem, i.e.,
keep it away from the BTS once it is published. This also enables other
people to

1) see there is a security defect in that package in woody
2) help solving it by adding patches, so the security team only has to
check the patches

As an example, take CAN-2004-0519, CAN-2004-0520 and CAN-2004-0521, all
three not yet solved in woody, but also not filed in the BTS (hm, two of
them directly refer to a patch[2][3] solving it...).

Therefore, I'd like to ask the security team to file grave bugs with
security+woody on packages for which a vulnerability has been made
public, and a security announcement isn't nearly-ready. I can't imagine
this would interfere too much with the issue tracker or whatever the
security team internally uses to track issues.

Or is there some reason filing bugs like I described here isn't


[1] http://lists.debian.org/debian-security/2004/07/msg00030.html
[2] http://marc.theaimsgroup.com/?l=squirrelmail-cvs&m=108532891231712
[3] http://marc.theaimsgroup.com/?l=squirrelmail-cvs&m=108309375029888

Jeroen van Wolffelaar
Jeroen@wolffelaar.nl (also for Jabber & MSN; ICQ: 33944357)

Reply to: