On Tue, Jul 06, 2004 at 08:06:36PM +0200, Jeroen van Wolffelaar wrote: > Hi, > > As I promised in [1], a suggestion for the Debian security team. > > Since the security team is generally very busy sorting out any kind of > vulnerability, sometimes fixes can take a little bit longer than usual, > especially if the impact is relatively low. Funny, you are observing that the security team is overworked and you suggest adding "Yet Another Thing To Do" (tm) to their list. > Therefore, I'd like to ask the security team to file grave bugs with > security+woody on packages for which a vulnerability has been made > public, and a security announcement isn't nearly-ready. I can't imagine > this would interfere too much with the issue tracker or whatever the > security team internally uses to track issues. Why does the security team have to do this? Anybody can do it. BTS reports can serve as a reminder or as a way to inform both the maintainer and the security team for known vulnerabilities. It also helps users who might track bugs related to woody and, even now in a time close to release, it might help track bugs in sarge so that we don't ship a new release with software that includes security vulnerabilities. Actually, the security team will probably appreciate bug submitters to do the following: 1.- include a CVE name (in order to discriminate vulnerabilities to previous ones). After all we _are_ CVE compatible (almost all DSAs include CVE names) 2.- tag the bug based on the version that is vulnerable (woody, sarge, sid, or all/some of them). Sometimes you might need to actually check out the code to see if the version in stable is vulnerable. 3.- provide a patch for the stable release I know that the security team will probably appreciate if all this work is done for publicly known vulnerabilities. A bug submitter should make an effort (if he wants to help out the security team and not hinder it) to provide more info than just a Bugtraq post (which are in many cases incomplete or are simply not correct/true/relevant). He should also made an effort to review http://www.debian.org/security/nonvulns-woody and see if the issue has already been determined _not_ to affect woody. > Or is there some reason filing bugs like I described here isn't > wanted? None I know of. Actually, there are bugs open in the BTS tagged 'security' that might get a DSA when the security team finds the time to do it. There are priorities regarding which packages should get DSAs first and there are some packages, like the kernel, which are not that easy to publish DSAs for. The security team will probably appreciate people giving a hand in debugging these issues in detail (as opposed to just forwarding a Bugtraq mail) Regards Javier PS: I don't imply that I do this myself correctly every time, I've probably reported security bugs incorrectly a number of times, these are just some "good practice guidelines" I believe bug submitters should adhere to.
Attachment:
signature.asc
Description: Digital signature