Re: Proposal/suggestion for security team w.r.t. published vulerabilities
On Wed, Jul 07, 2004 at 01:17:01PM +0200, Jeroen van Wolffelaar wrote:
> On Wed, Jul 07, 2004 at 02:49:54AM +0200, Javier Fern?ndez-Sanguino Pe?a wrote:
> > Why does the security team have to do this? Anybody can do it.
> Not without spending lots of time crawling through security lists,
> CAN/CVE's, bugtraq, verifying whether debian has the offending version, etc.
How do you think the security team does it? We do not have a magic filter
which shows us only issues which affect Debian stable; this is all done by
It is helpful if users spend the time collecting information about a
vulnerability and forward a complete report to the Security Team with
everything they need.
This section in the Developer's Reference:
describes what information should be provided about a vulnerability.
Note that, as the FAQ says, it is not helpful to simply forward a message
from BUGTRAQ or full-disclosure, because we already receive those.
However, if you are able to track down additional information, such as
confirming the vulnerability in stable and finding an appropriate patch,
that _is_ helpful.
Since we are talking about publicly-known vulnerabilities, those wishing to
help out should feel free to CC their communications with the security team
to this (debian-security) mailing list, so that others do not duplicate
their work, and can see the status of the issue.
> Well, since usually the maintainer is informed about such an issue, the
> maintainer _can_ submit such a bugreport when the issue is public. Maybe
> that is a better solution then, but yet, one depends on the maintainer in
> that case.
Debian has a lot of MIA maintainers; if the maintainer is active, in touch
with upstream, and willing to help the security team, security problems with
the package in stable don't stagnate. It is the stagnant issues that
generally need help, because the maintainer, upstream or both are not