| … | |
… | |
| 2 | <!DOCTYPE guide SYSTEM "/dtd/guide.dtd"> |
2 | <!DOCTYPE guide SYSTEM "/dtd/guide.dtd"> |
| 3 | <guide link="/security/en/vulnerability-policy.xml"> |
3 | <guide link="/security/en/vulnerability-policy.xml"> |
| 4 | <title>Gentoo Linux Vulnerability Treatment Policy</title> |
4 | <title>Gentoo Linux Vulnerability Treatment Policy</title> |
| 5 | <author title="Author"> |
5 | <author title="Author"> |
| 6 | <mail link="koon@gentoo.org">Thierry Carrez</mail> |
6 | <mail link="koon@gentoo.org">Thierry Carrez</mail> |
| 7 | </author> |
7 | </author> |
| 8 | <author title="Author"> |
8 | <author title="Author"> |
| 9 | <mail link="jaervosz@gentoo.org">Sune Kloppenborg Jeppesen</mail> |
9 | <mail link="jaervosz@gentoo.org">Sune Kloppenborg Jeppesen</mail> |
| 10 | </author> |
10 | </author> |
| 11 | <author title="Author"> |
11 | <author title="Author"> |
| 12 | <mail link="vorlon@gentoo.org">Matthias Geerdsen</mail> |
12 | <mail link="vorlon@gentoo.org">Matthias Geerdsen</mail> |
| 13 | </author> |
13 | </author> |
| 14 | <author title="Author"> |
14 | <author title="Author"> |
| 15 | <mail link="rbu@gentoo.org">Robert Buchholz</mail> |
15 | <mail link="rbu@gentoo.org">Robert Buchholz</mail> |
| 16 | </author> |
16 | </author> |
|
|
17 | <author title="Author"> |
|
|
18 | <mail link="a3li@gentoo.org">Alex Legler</mail> |
|
|
19 | </author> |
| 17 | |
20 | |
| 18 | <abstract> |
21 | <abstract> |
| 19 | This document describes the policy used in Gentoo Linux to treat |
22 | This document describes the policy used in Gentoo Linux to treat |
| 20 | vulnerabilities discovered in the packages made available to our |
23 | vulnerabilities discovered in the packages made available to our |
| 21 | users. |
24 | users. |
| 22 | </abstract> |
25 | </abstract> |
| 23 | |
26 | |
| 24 | <!-- The content of this document is licensed under the CC-BY-SA license --> |
27 | <!-- The content of this document is licensed under the CC-BY-SA license --> |
| 25 | <!-- See http://creativecommons.org/licenses/by-sa/1.0 --> |
28 | <!-- See http://creativecommons.org/licenses/by-sa/1.0 --> |
| 26 | <license/> |
29 | <license/> |
| 27 | |
30 | |
| 28 | <version>1.2.7</version> |
31 | <version>1.4</version> |
| 29 | <date>2009-04-14</date> |
32 | <date>2012-02-02</date> |
| 30 | |
33 | |
| 31 | <chapter> |
34 | <chapter> |
| 32 | <title>Scope</title> |
35 | <title>Scope</title> |
| 33 | <section> |
36 | <section> |
| 34 | <title>Supported architectures</title> |
37 | <title>Supported architectures</title> |
| 35 | <body> |
38 | <body> |
| 36 | |
39 | |
| 37 | <p> |
40 | <p> |
| 38 | Gentoo Linux is offered on many different architectures. Some of these |
41 | Gentoo Linux is offered on many different architectures. Some of these |
| 39 | architectures have more developers than others and, as such, are able to |
42 | architectures have more developers than others and, as such, are able to |
| 40 | respond to new security vulnerabilities more quickly. While the ultimate goal |
43 | respond to new security vulnerabilities more quickly. While the ultimate goal |
| 41 | of the Gentoo Security project is to ensure that all architectures receive |
44 | of the Gentoo Security project is to ensure that all architectures receive |
| 42 | security fixes at the same time, we must also balance that against releasing |
45 | security fixes at the same time, we must also balance that against releasing |
| 43 | security fixes and GLSAs as quickly as possible so that the majority of our |
46 | security fixes and GLSAs as quickly as possible so that the majority of our |
| 44 | users are informed and protected. |
47 | users are informed and protected. |
| 45 | </p> |
48 | </p> |
| 46 | |
49 | |
| 47 | <p> |
50 | <p> |
| 48 | For this reason, the security team separates Gentoo architectures into two |
51 | For this reason, the Security Team separates Gentoo architectures into two |
| 49 | groups, <b>supported</b> and <b>unsupported</b>: |
52 | groups, <b>supported</b> and <b>unsupported</b>: |
| 50 | </p> |
53 | </p> |
| 51 | |
54 | |
| 52 | <ul> |
55 | <ul> |
| 53 | <li><b>Supported:</b> these architectures must have a stable fix committed |
56 | <li><b>Supported:</b> these architectures must have a stable fix committed |
| 54 | before the GLSA can be released</li> |
57 | before the GLSA can be released</li> |
| 55 | <li><b>Unsupported:</b> these architectures will be notified of new |
58 | <li><b>Unsupported:</b> these architectures will be notified of new |
| 56 | vulnerabilities (cc on relevant bugs), however, we will not wait for a stable |
59 | vulnerabilities (cc on relevant bugs), however, we will not wait for a stable |
| 57 | fix on these arches before issuing the GLSA and closing the bug</li> |
60 | fix on these arches before issuing the GLSA and closing the bug</li> |
| 58 | </ul> |
61 | </ul> |
| 59 | |
62 | |
| 60 | <p> |
63 | <p> |
| 61 | Here is the list of currently supported architectures: |
64 | Here is the list of currently supported architectures: |
| 62 | </p> |
65 | </p> |
| 63 | |
66 | |
| … | |
… | |
| 94 | supported by the Gentoo Security project: |
97 | supported by the Gentoo Security project: |
| 95 | </p> |
98 | </p> |
| 96 | |
99 | |
| 97 | <ul> |
100 | <ul> |
| 98 | <li>Appoint a developer who is the primary point of contact for security |
101 | <li>Appoint a developer who is the primary point of contact for security |
| 99 | issues (Architecture Security Liaison) related to your arch: This person is |
102 | issues (Architecture Security Liaison) related to your arch: This person is |
| 100 | responsible for ensuring that security bugs are adequately remediated on |
103 | responsible for ensuring that security bugs are adequately remediated on |
| 101 | their particular architecture</li> |
104 | their particular architecture</li> |
| 102 | <li>Agree to adhere to the published timelines for testing and |
105 | <li>Agree to adhere to the published timelines for testing and |
| 103 | marking packages as stable</li> |
106 | marking packages as stable</li> |
| 104 | </ul> |
107 | </ul> |
| 105 | |
108 | |
| 106 | </body> |
109 | </body> |
| 107 | </section> |
110 | </section> |
| 108 | <section> |
111 | <section> |
| 109 | <title>Release Engineering</title> |
|
|
| 110 | <body> |
|
|
| 111 | <p> |
|
|
| 112 | The Release Engineering ("releng") project appoints a developer to be the |
|
|
| 113 | primary point of contact for security issues. |
|
|
| 114 | </p> |
|
|
| 115 | <p> |
|
|
| 116 | Release Engineering informs the Gentoo Security Project when a first tree |
|
|
| 117 | snapshot is taken for media releases. Beginning with the first snapshot until |
|
|
| 118 | the official media release ("release preparation period"), Release Engineering |
|
|
| 119 | (the appointed security liaison in case of confidential issues) should be cc'd |
|
|
| 120 | on each security bug entering the stabilization phase. |
|
|
| 121 | </p> |
|
|
| 122 | </body> |
|
|
| 123 | </section> |
|
|
| 124 | <section> |
|
|
| 125 | <title>Kernels</title> |
112 | <title>Kernels</title> |
| 126 | <body> |
113 | <body> |
| 127 | |
114 | |
| 128 | <p> |
115 | <p> |
| 129 | Currently kernels are not covered by the GLSA release process. |
116 | Kernels are not covered by the GLSA release process. |
| 130 | Vulnerabilities must still be reported and will be fixed, but |
117 | Vulnerabilities must still be reported and will be fixed, but |
| 131 | <e>no GLSA will be issued</e> when everything is solved. |
118 | <b>no GLSA will be issued</b> when everything is solved. |
| 132 | </p> |
119 | </p> |
| 133 | |
120 | |
| 134 | <note> |
121 | <note> |
| 135 | This policy should be changed when new tools are added to cover |
122 | The <uri link="http://git.overlays.gentoo.org/gitweb/?p=proj/kernel-check.git;a=summary">kernel-check</uri> |
| 136 | security vulnerabilities affecting the different kernel sources. |
123 | utility is being developed to provide Kernel security information. |
|
|
124 | This policy should be updated accordingly when it is ready. |
| 137 | </note> |
125 | </note> |
| 138 | |
126 | |
| 139 | </body> |
127 | </body> |
| 140 | </section> |
128 | </section> |
| 141 | <section> |
129 | <section> |
| 142 | <title>Non-stable packages</title> |
130 | <title>Non-stable packages</title> |
| 143 | <body> |
131 | <body> |
| 144 | |
132 | |
| 145 | <p> |
133 | <p> |
| 146 | Sometimes a vulnerability is found in a package that is not part of the stable |
134 | Sometimes a vulnerability is found in a package that is not part of the stable |
| 147 | trees. This is the case when the vulnerability is a security regression in a |
135 | trees. This is the case when the vulnerability is a security regression in a |
| 148 | newer (~ARCH) ebuild, but the older (stable) packages are not affected, or when |
136 | newer (~ARCH) ebuild, but the older (stable) packages are not affected, or when |
| 149 | the package has never had any stable ebuilds in the tree. |
137 | the package has never had any stable ebuilds in the tree. |
| 150 | In this case the vulnerability must still be reported and will be fixed, but |
138 | In this case the vulnerability must still be reported and will be fixed, but |
| 151 | <e>no GLSA will be issued</e> when everything is solved. |
139 | <b>no GLSA will be issued</b> when everything is solved. |
| 152 | </p> |
140 | </p> |
| 153 | |
141 | |
| 154 | <note> |
142 | <note> |
| 155 | This policy might be changed when our tools support more complex |
143 | This policy might be changed when our tools support more complex |
| 156 | upgrade paths and if a sufficient number of GLSA coordinators join |
144 | upgrade paths and if a sufficient number of GLSA coordinators join |
| 157 | the security team. |
145 | the Security Team. |
| 158 | </note> |
146 | </note> |
| 159 | |
147 | |
| 160 | </body> |
148 | </body> |
| 161 | </section> |
149 | </section> |
| 162 | </chapter> |
150 | </chapter> |
| 163 | |
151 | |
| 164 | <chapter> |
152 | <chapter> |
| 165 | <title>Vulnerability feed</title> |
153 | <title>Vulnerability feed</title> |
| 166 | <section> |
154 | <section> |
| 167 | <title>Published vulnerabilities</title> |
155 | <title>Published vulnerabilities</title> |
| 168 | <body> |
156 | <body> |
| 169 | |
157 | |
| 170 | <p> |
158 | <p> |
| 171 | Each vulnerability should initially be entered as a |
159 | Each vulnerability should initially be entered as a |
| 172 | <uri link="https://bugs.gentoo.org">Bugzilla</uri> entry with |
160 | <uri link="https://bugs.gentoo.org">Bugzilla</uri> entry with |
| 173 | product "Gentoo Security" and component "Vulnerabilities" (assigned to |
161 | product "Gentoo Security" and component "Vulnerabilities" (assigned to |
| 174 | <mail link="security@gentoo.org">security@gentoo.org</mail>). |
162 | <mail link="security@gentoo.org">security@gentoo.org</mail>). |
| 175 | Major security lists should have official scouts assigned to them which |
163 | Major security lists should have official scouts assigned to them which |
| 176 | should ensure that all vulnerabilities announced on these lists get a |
164 | should ensure that all vulnerabilities announced on these lists get a |
| 177 | security bugzilla entry. |
165 | security Bugzilla entry. |
| 178 | </p> |
166 | </p> |
| 179 | |
167 | |
| 180 | </body> |
168 | </body> |
| 181 | </section> |
169 | </section> |
| 182 | <section> |
170 | <section> |
| 183 | <title>Confidential vulnerabilities</title> |
171 | <title>Confidential vulnerabilities</title> |
| 184 | <body> |
172 | <body> |
| 185 | |
173 | |
| 186 | <p> |
174 | <p> |
| 187 | Confidential vulnerabilities (for example coming from developer's direct |
175 | Confidential vulnerabilities (for example coming from developer's direct |
| 188 | communication or restricted vendor-sec lists) should follow a specific |
176 | communication or restricted lists) must follow a specific procedure. |
| 189 | procedure. They should not appear as a public |
177 | They should not appear as a public bugzilla entry, but only in |
| 190 | bugzilla entry, but only in security-restricted media like a private |
178 | security-restricted media like a private bugzilla section or the GLSAMaker tool. |
| 191 | bugzilla section or the GLSAMaker tool. They should get |
|
|
| 192 | corrected using private communication channels between the GLSA coordinator |
179 | They should get corrected using private communication channels between the GLSA |
| 193 | and the package maintainer. |
180 | coordinator and the package maintainer. |
| 194 | </p> |
181 | </p> |
| 195 | |
182 | |
| 196 | <note> |
183 | <note> |
| 197 | Communication for confidential vulnerabilities should be properly encrypted. |
184 | Communication for confidential vulnerabilities should be properly encrypted. |
| 198 | They should be sent to specific security team members and encrypted with |
185 | They should be sent to specific Security Team members and encrypted with |
| 199 | their GPG key. The list of the security team members is available at |
186 | their GPG key. The list of the Security Team members is available at |
| 200 | <uri link="http://security.gentoo.org">security.gentoo.org</uri>, their key |
187 | <uri link="http://security.gentoo.org">security.gentoo.org</uri>, their key |
| 201 | IDs can be looked up on the |
188 | IDs can be looked up on the |
| 202 | <uri link="http://www.gentoo.org/proj/en/devrel/roll-call/userinfo.xml">Gentoo |
189 | <uri link="http://www.gentoo.org/proj/en/devrel/roll-call/userinfo.xml">Gentoo |
| 203 | Linux Developers List</uri> |
190 | Linux Developers List</uri> |
| 204 | and their keys can be retrieved from the |
191 | and their keys can be retrieved from the |
| 205 | <uri link="http://subkeys.pgp.net:11371">subkeys.pgp.net</uri> keyserver. |
192 | <uri link="http://subkeys.pgp.net:11371">subkeys.pgp.net</uri> keyserver. |
|
|
193 | The use of IRC and other unencrypted messaging methods is discouraged. |
| 206 | </note> |
194 | </note> |
| 207 | |
195 | |
| 208 | </body> |
196 | </body> |
| 209 | </section> |
197 | </section> |
| 210 | </chapter> |
198 | </chapter> |
| 211 | |
199 | |
| 212 | <chapter> |
200 | <chapter> |
| 213 | <title>Dispatch</title> |
201 | <title>Dispatch</title> |
| 214 | <section> |
202 | <section> |
| 215 | <title>Severity level</title> |
203 | <title>Severity level</title> |
| 216 | <body> |
204 | <body> |
| 217 | |
205 | |
| 218 | <p> |
206 | <p> |
| 219 | In order to seed the appropriate reaction times and escalation procedures, we |
207 | In order to seed the appropriate reaction times and escalation procedures, we |
| 220 | need to assign a severity level to each vulnerability. This severity |
208 | need to assign a severity level to each vulnerability. This severity |
| … | |
… | |
| 300 | <tr> |
288 | <tr> |
| 301 | <ti>Global service compromise: Denial of Service, passwords, full |
289 | <ti>Global service compromise: Denial of Service, passwords, full |
| 302 | database leaks, data loss (symlink attacks)</ti> |
290 | database leaks, data loss (symlink attacks)</ti> |
| 303 | <ti>3</ti> |
291 | <ti>3</ti> |
| 304 | <ti>normal</ti> |
292 | <ti>normal</ti> |
| 305 | </tr> |
293 | </tr> |
| 306 | <tr> |
294 | <tr> |
| 307 | <ti>Others: Cross-Site Scripting, information leak...</ti> |
295 | <ti>Others: Cross-Site Scripting, information leak...</ti> |
| 308 | <ti>4</ti> |
296 | <ti>4</ti> |
| 309 | <ti>low</ti> |
297 | <ti>low</ti> |
| 310 | </tr> |
298 | </tr> |
| 311 | </table> |
299 | </table> |
| 312 | |
300 | |
| 313 | <p> |
301 | <p> |
| 314 | Here is the table of the resulting severity levels. They should be set |
302 | Here is the table of the resulting severity levels. They should be set |
| 315 | to the bugzilla severity level of the same name: |
303 | to the Bugzilla severity level of the same name: |
| 316 | </p> |
304 | </p> |
| 317 | |
305 | |
| 318 | <table> |
306 | <table> |
| 319 | <tr> |
307 | <tr> |
| 320 | <th>Severity level</th> |
308 | <th>Severity level</th> |
| 321 | <th>Corresponding evaluations</th> |
309 | <th>Corresponding evaluations</th> |
| 322 | <th>Target delay</th> |
310 | <th>Target delay</th> |
| 323 | <th>GLSA</th> |
311 | <th>GLSA</th> |
| 324 | </tr> |
312 | </tr> |
| 325 | <tr> |
313 | <tr> |
| 326 | <ti>Blocker</ti> |
314 | <ti>Blocker</ti> |
| 327 | <ti>A0, B0</ti> |
315 | <ti>A0, B0</ti> |
| 328 | <ti>1 day</ti> |
316 | <ti>1 day</ti> |
| 329 | <ti>yes</ti> |
317 | <ti>yes</ti> |
| 330 | </tr> |
318 | </tr> |
| … | |
… | |
| 377 | wrangler and do the following tasks as soon as a new vulnerability |
365 | wrangler and do the following tasks as soon as a new vulnerability |
| 378 | enters <uri link="https://bugs.gentoo.org">Bugzilla</uri>: |
366 | enters <uri link="https://bugs.gentoo.org">Bugzilla</uri>: |
| 379 | </p> |
367 | </p> |
| 380 | |
368 | |
| 381 | <ul> |
369 | <ul> |
| 382 | <li>checking for duplicates: if the bug describes a vulnerability already |
370 | <li>checking for duplicates: if the bug describes a vulnerability already |
| 383 | reported it should be resolved as DUPLICATE</li> |
371 | reported it should be resolved as DUPLICATE</li> |
| 384 | <li>checking for wrong component: if the bug is not about a vulnerability |
372 | <li>checking for wrong component: if the bug is not about a vulnerability |
| 385 | its component should be changed appropriately</li> |
373 | its component should be changed appropriately</li> |
| 386 | <li>checking if the bug is really a vulnerability and that it affects a |
374 | <li>checking if the bug is really a vulnerability and that it affects a |
| 387 | Gentoo Linux package, otherwise resolve the bug as INVALID</li> |
375 | Gentoo Linux package, otherwise resolve the bug as INVALID</li> |
| 388 | </ul> |
376 | </ul> |
| 389 | |
377 | |
| 390 | <p> |
378 | <p> |
| 391 | During this phase it may be necessary to ask the reporter for details. The bug |
379 | During this phase it may be necessary to ask the reporter for details. The bug |
| 392 | remains with status NEW as long as necessary. When (if) the bug passes these |
380 | remains with status UNCONFIRMED or CONFIRMED as long as necessary. |
| 393 | sanity tests, it should be accepted and the bug wrangler should do the |
381 | When (if) the bug passes these sanity tests, it should be marked as IN_PROGRESS |
| 394 | following: |
382 | and the bug wrangler should do the following: |
| 395 | </p> |
383 | </p> |
| 396 | |
384 | |
| 397 | <ul> |
385 | <ul> |
| 398 | <li>rename the bug so that it includes category/package-name at start |
386 | <li>rename the bug so that it includes category/package-name at start |
| 399 | (for example: "net-mail/clamav: DoS using RAR files")</li> |
387 | (for example: <e>net-mail/clamav: DoS using RAR files</e>)</li> |
|
|
388 | <li>remove version information in the bug title if there is no fixed version |
|
|
389 | available. Bug titles like <e><=category/package-1.2.3</e>, where 1.2.3 |
|
|
390 | is the latest version of the package, should be avoided.</li> |
| 400 | <li>evaluate and assign a severity level (see above)</li> |
391 | <li>evaluate and assign a severity level (see above)</li> |
| 401 | <li>set the status to ASSIGNED</li> |
392 | <li>set the status to IN_PROGRESS</li> |
| 402 | <li>seed the status whiteboard to the correct severity code and status</li> |
393 | <li>seed the status whiteboard to the correct severity code and status</li> |
| 403 | <li>cc package maintainers to the bug according to package metadata</li> |
394 | <li>cc package maintainers to the bug according to package metadata</li> |
| 404 | <li>set the URL field to an upstream bug or similar</li> |
395 | <li>set the URL field to an upstream bug or similar</li> |
| 405 | <li>search for reserved or assigned CVE identifier and add it to the bug title, request a CVE otherwise</li> |
396 | <li>search for a reserved or assigned CVE identifier and add it to the bug title, |
| 406 | <li>optionally assign a GLSA coordinator for the bug, by adding the |
397 | request a CVE otherwise</li> |
| 407 | coordinator name to the status whiteboard</li> |
398 | <li>enter the bug number in the CVE tracker (given the wrangler has access to it)</li> |
|
|
399 | <li>set the Alias field to the CVE identifier. |
|
|
400 | In case there are multiple identifiers, use the first one.</li> |
| 408 | </ul> |
401 | </ul> |
| 409 | |
402 | |
| 410 | <warn> |
403 | <warn> |
| 411 | You should not change bug severity once it has been assigned. If you want to |
404 | You should not change bug severity once it has been assigned. If you want to |
| 412 | increase developer awareness that a bug needs care, use the Priority field |
405 | increase developer awareness that a bug needs care, use the Priority field |
| 413 | instead. |
406 | instead. |
| 414 | </warn> |
407 | </warn> |
| 415 | |
408 | |
| 416 | </body> |
409 | </body> |
| 417 | </section> |
410 | </section> |
| 418 | <section> |
411 | <section> |
| 419 | <title>Timeframe and backup procedures</title> |
412 | <title>Timeframe and backup procedures</title> |
| 420 | <body> |
413 | <body> |
| 421 | |
414 | |
| 422 | <p> |
415 | <p> |
| … | |
… | |
| 439 | <body> |
432 | <body> |
| 440 | |
433 | |
| 441 | <p> |
434 | <p> |
| 442 | The GLSA coordinator has responsibility for the following tasks: |
435 | The GLSA coordinator has responsibility for the following tasks: |
| 443 | </p> |
436 | </p> |
| 444 | |
437 | |
| 445 | <ul> |
438 | <ul> |
| 446 | <li>determine what must be done in order to close the vulnerability (for |
439 | <li>determine what must be done in order to close the vulnerability (for |
| 447 | example identify the upstream version containing the fix)</li> |
440 | example identify the upstream version containing the fix)</li> |
| 448 | <li>if no fix is available from upstream yet, ensure that the bug is correctly |
441 | <li>if no fix is available from upstream yet, ensure that the bug is correctly |
| 449 | reported to the upstream developer and set status whiteboard to |
442 | reported to the upstream developer and set status whiteboard to |
| 450 | <c>upstream</c></li> |
443 | <c>upstream</c></li> |
| 451 | <li>if a fix is available, get the package maintainer involved to produce and |
444 | <li>if a fix is available, get the package maintainer involved to produce and |
| 452 | commit an ebuild containing the fix and set status whiteboard to <c>ebuild</c></li> |
445 | commit an ebuild containing the fix and set status whiteboard to <c>ebuild</c></li> |
| 453 | <li>once an ebuild is committed, evaluate what keywords are needed for the fix |
446 | <li>once an ebuild is committed, evaluate what keywords are needed for the fix |
| 454 | ebuild and get arch-specific teams to test and mark |
447 | ebuild and get arch-specific Teams to test and mark |
| 455 | the ebuild stable on their architectures (arch-teams should be cc'd on |
448 | the ebuild stable on their architectures (arch teams should be cc'd on |
| 456 | the bug, as well as releng during release preparation) and set status |
449 | the bug, as well as releng during release preparation) and set status |
| 457 | whiteboard to <c>stable</c></li> |
450 | whiteboard to <c>stable</c></li> |
| 458 | <li>arch-maintainers should mark the ebuild stable if there is no regression |
451 | <li>arch-maintainers should mark the ebuild stable if there is no regression |
| 459 | in the fix ebuild compared to the latest vulnerable version</li> |
452 | in the fix ebuild compared to the latest vulnerable version</li> |
| 460 | <li>in parallel, writing a draft GLSA using the GLSAMaker tool</li> |
453 | <li>in parallel, writing a draft GLSA using the GLSAMaker tool</li> |
| 461 | <li>when the corrective ebuild is ready for all supported archs, set the |
454 | <li>when the corrective ebuild is ready for all supported archs, set the |
| 462 | status whiteboard to <c>glsa</c></li> |
455 | status whiteboard to <c>glsa</c></li> |
| 463 | </ul> |
456 | </ul> |
| 464 | |
457 | |
| 465 | <note> |
458 | <note> |
| 466 | If the bug makes progress and the assigned GLSA coordinator does not react, |
459 | If the bug makes progress and the assigned GLSA coordinator does not react, |
| 467 | the other members of the security team can help keeping the bug rolling by |
460 | the other members of the Security Team can help keeping the bug rolling by |
| 468 | updating its status. |
461 | updating its status. |
| 469 | </note> |
462 | </note> |
| 470 | |
463 | |
| 471 | </body> |
464 | </body> |
| 472 | </section> |
465 | </section> |
| 473 | <section> |
466 | <section> |
| 474 | <title>Timeframe and escalation procedures</title> |
467 | <title>Timeframe and escalation procedures</title> |
| 475 | <body> |
468 | <body> |
| 476 | |
469 | |
| 477 | <p> |
470 | <p> |
| 478 | In order to meet the target delay for vulnerability resolution, a number of |
471 | In order to meet the target delay for vulnerability resolution, a number of |
| 479 | escalation procedures have been defined. These include: |
472 | escalation procedures have been defined. These include: |
| 480 | </p> |
473 | </p> |
| 481 | |
474 | |
| 482 | <ul> |
475 | <ul> |
| 483 | <li>when a bug in a waiting state needs urgent care, |
476 | <li>when a bug in a waiting state needs urgent care, |
| 484 | you should change the status whiteboard |
477 | you should change the status whiteboard |
| 485 | entries to their "+" counterpart: <c>upstream+</c>, <c>ebuild+</c>, |
478 | entries to their "+" counterpart: <c>upstream+</c>, <c>ebuild+</c>, |
| 486 | <c>stable+</c> and <c>glsa+</c></li> |
479 | <c>stable+</c> and <c>glsa+</c></li> |
| 487 | <li>if no upstream fix is available (<c>upstream+</c> status), a decision must |
480 | <li>if no upstream fix is available (<c>upstream+</c> status), a decision must |
| 488 | be taken on masking the |
481 | be taken on masking the |
| 489 | package: the security team can mask a package which is not depended on by |
482 | package: The Security Team can mask a package which is not depended on by |
| 490 | itself, but need a TLP manager approval before masking a package which is |
483 | itself, maintainers should be consulted before masking a package which is |
| 491 | not standalone</li> |
484 | not standalone</li> |
| 492 | <li>if the maintainer/herd does not show up for producing the ebuild during 48 |
485 | <li>if the maintainer/herd does not show up for producing the ebuild during 48 |
| 493 | hours after summoning (<c>ebuild+</c> status), the security team should |
486 | hours after summoning (<c>ebuild+</c> status), the Security Team should |
| 494 | try to bump the ebuild by itself</li> |
487 | try to bump the ebuild by itself</li> |
| 495 | <li>if testing and marking stable takes too much time (<c>stable+</c> status), |
488 | <li>if testing and marking stable takes too much time (<c>stable+</c> status), |
| 496 | the security team will shout on IRC channels and gentoo-dev list to get |
489 | the Security Team will shout on IRC channels and gentoo-dev list to get |
| 497 | more testers. It will either mark the ebuild stable by itself or, in the |
490 | more testers. It will either mark the ebuild stable by itself or, in the |
| 498 | event this cannot be done due to stability issues, mask it (see security |
491 | event this cannot be done due to stability issues, mask it (see security |
| 499 | masking approval policy above)</li> |
492 | masking approval policy above)</li> |
| 500 | <li>if the GLSA coordinator does not show up to draft a GLSA (<c>glsa+</c> |
493 | <li>if the GLSA coordinator does not show up to draft a GLSA (<c>glsa+</c> |
| 501 | status), then another member of the security team should draft the GLSA |
494 | status), then another member of the Security Team should draft the GLSA |
| 502 | and submit it to peer review</li> |
495 | and submit it to peer review</li> |
| 503 | </ul> |
496 | </ul> |
| 504 | |
497 | |
| 505 | </body> |
498 | </body> |
| 506 | </section> |
499 | </section> |
| 507 | <section> |
500 | <section> |
| 508 | <title>Good practices for security bugs</title> |
501 | <title>Good practices for security bugs</title> |
| 509 | <body> |
502 | <body> |
| 510 | |
503 | |
| 511 | <p> |
504 | <p> |
| 512 | Security bugs differ from other bugs, in that an easy and simple upgrade path |
505 | Security bugs differ from other bugs, in that an easy and simple upgrade path |
| 513 | must be presented to users through the GLSA. Therefore package maintainers and |
506 | must be presented to users through the GLSA. Therefore package maintainers and |
| 514 | GLSA coordinators should follow these good practices: |
507 | GLSA coordinators should follow these good practices: |
| 515 | </p> |
508 | </p> |
| 516 | |
509 | |
| … | |
… | |
| 522 | than any previously published version, so that an easy upgrade path can |
515 | than any previously published version, so that an easy upgrade path can |
| 523 | be proposed to the user</li> |
516 | be proposed to the user</li> |
| 524 | <li>In case of a patch, it should only be applied to the more recent version, |
517 | <li>In case of a patch, it should only be applied to the more recent version, |
| 525 | there is no need to rev-bump all ebuilds with a patched version</li> |
518 | there is no need to rev-bump all ebuilds with a patched version</li> |
| 526 | <li>Vulnerable versions should be left in the tree until the bug enters the |
519 | <li>Vulnerable versions should be left in the tree until the bug enters the |
| 527 | <c>stable</c> status, in order to correctly evaluate what keywords |
520 | <c>stable</c> status, in order to correctly evaluate what keywords |
| 528 | are needed for the fix version</li> |
521 | are needed for the fix version</li> |
| 529 | </ul> |
522 | </ul> |
| 530 | |
523 | |
| 531 | </body> |
524 | </body> |
| 532 | </section> |
525 | </section> |
| 533 | <section> |
526 | <section> |
| 534 | <title>Temporary GLSAs</title> |
527 | <title>Temporary GLSAs</title> |
| 535 | <body> |
528 | <body> |
| 536 | |
529 | |
|
|
530 | <note> |
|
|
531 | This is no longer common practice. |
|
|
532 | </note> |
|
|
533 | |
| 537 | <p> |
534 | <p> |
| 538 | If a <e>blocker</e> or <e>critical</e> or <e>major</e> vulnerability cannot |
535 | If a <e>blocker</e> or <e>critical</e> or <e>major</e> vulnerability cannot |
| 539 | totally be corrected in the target delay, |
536 | totally be corrected in the target delay, |
| 540 | an early warning GLSA should be written with workaround information. |
537 | an early warning GLSA should be written with workaround information. |
| 541 | This GLSA will be replaced by the final GLSA when the |
538 | This GLSA will be replaced by the final GLSA when the |
| 542 | definitive correction is available. |
539 | definitive correction is available. |
| 543 | </p> |
540 | </p> |
| 544 | |
541 | |
| 545 | <p> |
542 | <p> |
| 546 | If a common (type A or B) package is masked for security reasons, a temporary |
543 | If a common (type A or B) package is masked for security reasons, a temporary |
| 547 | GLSA should be issued to explain why the package is currently unavailable |
544 | GLSA should be issued to explain why the package is currently unavailable |
| 548 | and/or why people should uninstall the current version. This GLSA will be |
545 | and/or why people should uninstall the current version. This GLSA will be |
| 549 | replaced by the final GLSA when the fix becomes available and the package is |
546 | replaced by the final GLSA when the fix becomes available and the package is |
| 550 | unmasked. |
547 | unmasked. |
| 551 | </p> |
548 | </p> |
| 552 | |
549 | |
| 553 | </body> |
550 | </body> |
| 554 | </section> |
551 | </section> |
| 555 | </chapter> |
552 | </chapter> |
| 556 | |
553 | |
| 557 | <chapter> |
554 | <chapter> |
| 558 | <title>GLSA publication process</title> |
555 | <title>GLSA publication process</title> |
| 559 | <section> |
556 | <section> |
| 560 | <title>Peer review</title> |
557 | <title>Peer review</title> |
| 561 | <body> |
558 | <body> |
| 562 | |
559 | |
| 563 | <p> |
560 | <p> |
| 564 | Once ready, a GLSA should be submitted to peer review. At least two members |
561 | Once ready, a GLSA should be submitted to peer review. At least two members |
| 565 | of the security team must approve the draft GLSA. Once the draft passes the |
562 | of the Security Team must approve the draft GLSA. Once the draft passes the |
| 566 | peer review process, it should be assigned an official GLSA number. |
563 | peer review process, it should be assigned an official GLSA number. |
| 567 | </p> |
564 | </p> |
| 568 | |
565 | |
| 569 | </body> |
566 | </body> |
| 570 | </section> |
567 | </section> |
| 571 | <section> |
568 | <section> |
| 572 | <title>GLSA release</title> |
569 | <title>GLSA release</title> |
| 573 | <body> |
570 | <body> |
| 574 | |
571 | |
| 575 | <p> |
572 | <p> |
| 576 | Once the GLSA passes the peer review process (and after making sure the ebuild |
573 | Once the GLSA passes the peer review process (and after making sure the ebuild |
| 577 | has made its way into the stable tree), the GLSA coordinator should |
574 | has made its way into the stable tree), the GLSA coordinator should |
| 578 | commit the GLSA XML in the Gentoo CVS repository. |
575 | commit the GLSA XML in the Gentoo CVS repository. |
| 579 | Once this is done, the GLSA will automatically appear on the |
576 | Once this is done, the GLSA will automatically appear on the |
| 580 | <uri link="http://glsa.gentoo.org">official GLSA index page</uri> and |
577 | <uri link="http://glsa.gentoo.org">official GLSA index page</uri> and |
| … | |
… | |
| 588 | <body> |
585 | <body> |
| 589 | |
586 | |
| 590 | <p> |
587 | <p> |
| 591 | The GLSA text version must be published by the GLSA coordinator to the |
588 | The GLSA text version must be published by the GLSA coordinator to the |
| 592 | following media: |
589 | following media: |
| 593 | </p> |
590 | </p> |
| 594 | |
591 | |
| 595 | <table> |
592 | <table> |
| 596 | <tr> |
593 | <tr> |
| 597 | <ti>Gentoo Linux official announcement mailing-list</ti> |
594 | <ti>Gentoo Linux official announcement mailing-list</ti> |
| 598 | <ti> |
595 | <ti> |
| 599 | <mail link="gentoo-announce@lists.gentoo.org">gentoo-announce@lists.gentoo.org</mail> |
596 | <mail link="gentoo-announce@lists.gentoo.org">gentoo-announce@lists.gentoo.org</mail> |
| 600 | </ti> |
597 | </ti> |
| 601 | </tr> |
598 | </tr> |
| 602 | <tr> |
599 | <tr> |
| 603 | <ti>Bugtraq security mailing-list</ti> |
|
|
| 604 | <ti> |
|
|
| 605 | <mail link="bugtraq@securityfocus.com">bugtraq@securityfocus.com</mail> |
|
|
| 606 | </ti> |
|
|
| 607 | </tr> |
|
|
| 608 | <tr> |
|
|
| 609 | <ti>Full-disclosure security mailing-list</ti> |
|
|
| 610 | <ti> |
|
|
| 611 | <mail link="full-disclosure@lists.grok.org.uk"> |
|
|
| 612 | full-disclosure@lists.grok.org.uk |
|
|
| 613 | </mail> |
|
|
| 614 | </ti> |
|
|
| 615 | </tr> |
|
|
| 616 | <tr> |
|
|
| 617 | <ti>Linuxsecurity.com advisories service</ti> |
|
|
| 618 | <ti> |
|
|
| 619 | <mail link="security-alerts@linuxsecurity.com"> |
|
|
| 620 | security-alerts@linuxsecurity.com |
|
|
| 621 | </mail> |
|
|
| 622 | </ti> |
|
|
| 623 | </tr> |
|
|
| 624 | <tr> |
|
|
| 625 | <ti>Gentoo Linux announcement forum</ti> |
600 | <ti>Gentoo Linux announcement forum</ti> |
| 626 | <ti><uri>http://forums.gentoo.org/viewforum.php?f=16</uri></ti> |
601 | <ti><uri>http://forums.gentoo.org/viewforum.php?f=16</uri></ti> |
| 627 | </tr> |
602 | </tr> |
| 628 | </table> |
603 | </table> |
| 629 | |
604 | |
| 630 | <p> |
605 | <p> |
| 631 | There should be one single email sent, with the following rules: |
606 | There should be one single email sent, with the following rules: |
| 632 | </p> |
607 | </p> |
| 633 | |
608 | |
| 634 | <ul> |
609 | <ul> |
| 635 | <li>The <c>To:</c> field must be set to gentoo-announce</li> |
610 | <li>The <c>To:</c> field must be set to gentoo-announce</li> |
| 636 | <li>The <c>Cc:</c> filed must contain the other email addresses</li> |
|
|
| 637 | <li>The <c>From:</c> and <c>Return-Path:</c> must be set to the GLSA |
611 | <li>The <c>From:</c> and <c>Return-Path:</c> must be set to the GLSA |
| 638 | coordinator @gentoo.org address</li> |
612 | coordinator @gentoo.org address</li> |
| 639 | <li>The <c>Subject:</c> field must be "[ GLSA XXXXYY-ZZ ] Your vulnerability |
613 | <li>The <c>Subject:</c> field must be "[ GLSA XXXXYY-ZZ ] Your vulnerability |
| 640 | here"</li> |
614 | here"</li> |
| 641 | <li>The body should only contain the text version of the GLSA</li> |
615 | <li>The body should only contain the text version of the GLSA</li> |
| 642 | <li>The email must be signed by the GLSA coordinator GPG key</li> |
616 | <li>The email must be signed by the GLSA coordinator GPG key</li> |
| 643 | </ul> |
617 | </ul> |
| 644 | |
618 | |
| 645 | <note> |
619 | <note> |
| 646 | Developer key IDs can be found on the Gentoo Linux |
620 | Developer key IDs can be found on the Gentoo Linux |
| 647 | <uri link="http://www.gentoo.org/proj/en/devrel/roll-call/userinfo.xml"> |
621 | <uri link="http://www.gentoo.org/proj/en/devrel/roll-call/userinfo.xml"> |
| 648 | Developer list</uri>. All the security team GPG keys are published on public |
622 | Developer list</uri>. All the Security Team GPG keys are published on public |
| 649 | key servers, including (but not limited to) |
623 | key servers, including (but not limited to) |
| 650 | <uri link="http://subkeys.pgp.net:11371">subkeys.pgp.net</uri>. |
624 | <uri link="http://subkeys.pgp.net:11371">subkeys.pgp.net</uri>. |
| 651 | </note> |
625 | </note> |
| 652 | |
626 | |
| 653 | <note> |
627 | <note> |
| 654 | To minimize errors in the publication process, the forum publication step is |
628 | To minimize errors in the publication process, the forum publication step is |
| 655 | handled by an automatic poster when it receives the announcement. |
629 | handled by an automatic poster when it receives the announcement. |
| 656 | </note> |
630 | </note> |
| 657 | |
631 | |
|
|
632 | <note> |
|
|
633 | Starting Feb 2, 2012, we have decied to no longer CC any third parties. |
|
|
634 | The gentoo-announce mailing list has little other traffic, so that they |
|
|
635 | should be subscribed there. General security mailing lists such as full- |
|
|
636 | disclosure or bugtraq are not our target audience, and having various |
|
|
637 | distributions send notices about the same issues is not of any use to most |
|
|
638 | readers there, they too should be on gentoo-announce. |
|
|
639 | </note> |
|
|
640 | |
| 658 | <p> |
641 | <p> |
| 659 | When the GLSA has been published the corresponding bugzilla bug should be |
642 | When the GLSA has been published the corresponding bugzilla bug should be |
| 660 | resolved as FIXED, with the GLSA number referenced in the comments section |
643 | resolved as FIXED, with the GLSA number referenced in the comments section |
| 661 | of the bug. |
644 | of the bug. GLSAMaker 2 offers this option after releasing the advisory. |
| 662 | </p> |
645 | </p> |
| 663 | |
646 | |
| 664 | </body> |
647 | </body> |
| 665 | </section> |
648 | </section> |
| 666 | <section> |
649 | <section> |
| 667 | <title>GLSA errata</title> |
650 | <title>GLSA errata</title> |
| 668 | <body> |
651 | <body> |
| 669 | |
652 | |
| 670 | <p> |
653 | <p> |
| 671 | Sometimes an error will slip through the peer-review process and an incorrect |
654 | Sometimes an error will slip through the peer-review process and an incorrect |
| 672 | GLSA will be published to the world. Depending on the severity of the error(s), |
655 | GLSA will be published to the world. Depending on the severity of the error(s), |
| 673 | the following policy for erratum should be applied: |
656 | the following policy for erratum should be applied: |
| 674 | </p> |
657 | </p> |
| 675 | |
658 | |
| 676 | <table> |
659 | <table> |
| … | |
… | |
| 700 | <ti>Error in affected/unaffected versions number, but people using stable |
683 | <ti>Error in affected/unaffected versions number, but people using stable |
| 701 | packages and applying GLSA instructions are protected anyway</ti> |
684 | packages and applying GLSA instructions are protected anyway</ti> |
| 702 | <ti>The GLSA XML should be corrected, no publication</ti> |
685 | <ti>The GLSA XML should be corrected, no publication</ti> |
| 703 | </tr> |
686 | </tr> |
| 704 | <tr> |
687 | <tr> |
| 705 | <ti>Error in affected/unaffected versions number, people applying GLSA |
688 | <ti>Error in affected/unaffected versions number, people applying GLSA |
| 706 | instructions are not at all protected</ti> |
689 | instructions are not at all protected</ti> |
| 707 | <ti>An erratum GLSA should be published, replacing the erroneous one</ti> |
690 | <ti>An erratum GLSA should be published, replacing the erroneous one</ti> |
| 708 | </tr> |
691 | </tr> |
| 709 | </table> |
692 | </table> |
| 710 | |
693 | |
| 711 | </body> |
694 | </body> |
| 712 | </section> |
695 | </section> |
| 713 | </chapter> |
696 | </chapter> |
| 714 | </guide> |
697 | </guide> |
|
|
698 | <!-- vim: set et noai inde=: --> |
Parent Directory
| 
Revision Log
| 
Patch