[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Proposal/suggestion for security team w.r.t. published vulerabilities

On Tue, Jul 06, 2004 at 08:06:36PM +0200, Jeroen van Wolffelaar wrote:
> Hi,
> As I promised in [1], a suggestion for the Debian security team.
> Since the security team is generally very busy sorting out any kind of
> vulnerability, sometimes fixes can take a little bit longer than usual,
> especially if the impact is relatively low.

Funny, you are observing that the security team is overworked and you 
suggest adding "Yet Another Thing To Do" (tm) to their list.

> Therefore, I'd like to ask the security team to file grave bugs with
> security+woody on packages for which a vulnerability has been made
> public, and a security announcement isn't nearly-ready. I can't imagine
> this would interfere too much with the issue tracker or whatever the
> security team internally uses to track issues.

Why does the security team have to do this? Anybody can do it. BTS reports
can serve as a reminder or as a way to inform both the maintainer and the
security team for known vulnerabilities. It also helps users who might
track bugs related to woody and, even now in a time close to release, it 
might help track bugs in sarge so that we don't ship a new release with 
software that includes security vulnerabilities.

Actually, the security team will probably appreciate bug submitters to do
the following:

1.- include a CVE name (in order to discriminate vulnerabilities to
previous ones). After all we _are_ CVE compatible (almost all DSAs include
CVE names)

2.- tag the bug based on the version that is vulnerable (woody, sarge, sid,
or all/some of them). Sometimes you might need to actually check out the 
code to see if the version in stable is vulnerable.

3.- provide a patch for the stable release

I know that the security team will probably appreciate if all this work is
done for publicly known vulnerabilities. A bug submitter  should make an 
effort (if he wants to help out the security team and not hinder it) to 
provide more info than just a Bugtraq post (which are in many cases 
incomplete or are simply not correct/true/relevant). He should also made an 
effort to review http://www.debian.org/security/nonvulns-woody and see if 
the issue has already been determined _not_ to affect woody.

> Or is there some reason filing bugs like I described here isn't
> wanted?

None I know of. Actually, there are bugs open in the BTS tagged 'security'
that might get a DSA when the security team finds the time to do it. There
are priorities regarding which packages should get DSAs first and there are
some packages, like the kernel, which are not that easy to publish DSAs

The security team will probably appreciate people giving a hand in 
debugging these issues in detail (as opposed to just forwarding a Bugtraq 



PS: I don't imply that I do this myself correctly every time, I've probably 
reported security bugs incorrectly a number of times, these are just some 
"good practice guidelines" I believe bug submitters should adhere to.

Attachment: signature.asc
Description: Digital signature

Reply to: