Re: Proposal/suggestion for security team w.r.t. published vulerabilities
On Sat, Jul 10, 2004 at 12:29:11PM +0200, Florian Weimer wrote:
> * Adrian von Bidder:
> > I think Jeroen is thinking about security problems the security team
> > already knows about but has not yet had time to handle (and which have
> > already been made public somewhere else.) Stupid if somebody has to
> > search the sources *again* if the security team already has the
> > information.
> Actually, it's rather time-consuming to determine if a security
> vulnerability has been published. You have to discover the
> publication, and then you have to decide whether it's actually the
> same issue and if it's been disclosed completely.
The first thing that is being done when a security issue gets to the
security team, is assign a CAN-number after it's verified. CAN entries
are either simply 'reserved' and hidden for the general public, at some
time, the content is set open for the public. I guess/assume that
opening up is mailed to the security team in some way, or otherwise
noticed. Then sending a mail to firstname.lastname@example.org with a cut&paste (yank &
put) of the CAN/CVE description shouldn't be that much effort.
But, this all IMHO, and it is still a wishlist request.
> Filing bug reports about public issues is something any DD or user can
> do. I don't think this should be added to the duties of the security
> team. I'd appreciate if they commented on new security bugs that are
> tagged woody, though.
The security team monitors every bugreport tagged security, I had it
happen that the security time responed earlier to a bug like that than I
had the chance... So, they do already.
Jeroen van Wolffelaar
Jeroen@wolffelaar.nl (also for Jabber & MSN; ICQ: 33944357)