Re: Proposal/suggestion for security team w.r.t. published vulerabilities

To: Javier Fern?ndez-Sanguino Pe?a <jfs@computer.org>
Cc: debian-security@lists.debian.org
Subject: Re: Proposal/suggestion for security team w.r.t. published vulerabilities
From: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
Date: Wed, 7 Jul 2004 13:17:01 +0200
Message-id: <[🔎] 20040707111701.GT6050@A-Eskwadraat.nl>
In-reply-to: <[🔎] 20040707004954.GA13858@dat.etsit.upm.es>
References: <[🔎] 20040706180636.GL9109@A-Eskwadraat.nl> <[🔎] 20040707004954.GA13858@dat.etsit.upm.es>

On Wed, Jul 07, 2004 at 02:49:54AM +0200, Javier Fern?ndez-Sanguino Pe?a wrote:
> On Tue, Jul 06, 2004 at 08:06:36PM +0200, Jeroen van Wolffelaar wrote:
> > Hi,
> > 
> > As I promised in [1], a suggestion for the Debian security team.
> > 
> > Since the security team is generally very busy sorting out any kind of
> > vulnerability, sometimes fixes can take a little bit longer than usual,
> > especially if the impact is relatively low.
> 
> Funny, you are observing that the security team is overworked and you 
> suggest adding "Yet Another Thing To Do" (tm) to their list.

Yes, that's a paradox, but since the security team simply has a list
with 'open issues that are already public', and nobody else has it
readily available, they are about the only ones able to do this well.

Matt Zimmerman provided me yesterday with a list of such issues,
it would be very hard for a non-security member to make that list. I'll
forward it to this list soon now.

> > Therefore, I'd like to ask the security team to file grave bugs with
> > security+woody on packages for which a vulnerability has been made
> > public, and a security announcement isn't nearly-ready. I can't imagine
> > this would interfere too much with the issue tracker or whatever the
> > security team internally uses to track issues.
> 
> Why does the security team have to do this? Anybody can do it.

Not without spending lots of time crawling through security lists,
CAN/CVE's, bugtraq, verifying whether debian has the offending version, etc.
Well, since usually the maintainer is informed about such an issue, the
maintainer _can_ submit such a bugreport when the issue is public. Maybe
that is a better solution then, but yet, one depends on the maintainer
in that case.

> I know that the security team will probably appreciate if all this work is
> done for publicly known vulnerabilities. A bug submitter  should make an 
> effort (if he wants to help out the security team and not hinder it) to 
> provide more info than just a Bugtraq post (which are in many cases 
> incomplete or are simply not correct/true/relevant). He should also made an 
> effort to review http://www.debian.org/security/nonvulns-woody and see if 
> the issue has already been determined _not_ to affect woody.

Like this for example:
http://bugs.debian.org/cgi-bin/pkgreport.cgi?src=squirrelmail&include=woody

--Jeroen

-- 
Jeroen van Wolffelaar
Jeroen@wolffelaar.nl (also for Jabber & MSN; ICQ: 33944357)
http://Jeroen.A-Eskwadraat.nl

Attachment: pgpSN5omB8Mk7.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: Proposal/suggestion for security team w.r.t. published vulerabilities
  - From: Matt Zimmerman <mdz@debian.org>

References:
- Proposal/suggestion for security team w.r.t. published vulerabilities
  - From: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
- Re: Proposal/suggestion for security team w.r.t. published vulerabilities
  - From: Javier Fernández-Sanguino Peña <jfs@computer.org>

Prev by Date: JULY 6th Lead Training 3 tips for working leads
Next by Date: Several security issues seeking help
Previous by thread: Re: Proposal/suggestion for security team w.r.t. published vulerabilities
Next by thread: Re: Proposal/suggestion for security team w.r.t. published vulerabilities
Index(es):
- Date
- Thread