Download Firefox: WindowsMac OS X
logo       
Google Custom Search
    AddThis Social Bookmark Button
<prev   next>

Re: I've got some free time and the skills: msg#00011

Subject: Re: I've got some free time and the skills 
On Mon, Oct 10, 2005 at 08:28:44PM +0000, bannedit@xxxxxxxxxxxxxxx wrote:
> 
> Thanks Javier, for the direction. I read through the archives. I'm a
> little foggy on the exact proccess for disclosing the vulnerabilities.
> >From what I gather from the audit FAQ it seems I would contact the
> security team via e-mail @ security@xxxxxxxxxx if the issue is not
> currently publically disclosed and have them confirm the vulnerability.
> Is this the proper procedure?

Yes, the process is:

1- Contact the security team, the package mantainer and upstream maintainers.
   Provide relevant information and a patch if possible.
2- For upstream maintainers that are not aware of the security fix process,
   make them aware of it (see my previous post)
3- Package maintainers should coordinate with the Security Team before
   uploading to sid and should use the CVE name in the changelog.
4- Security Team fixes the issue, builds new packages and issues the DSA


This is, of course, only if the package (and the bug) is present in stable
or old-stable (which are supported by the Security Team). If it is not there,
you can send the issue to the upstream and package maintainer, and either
to the Debian BTS (if you think it can be made public) or to the Debian
Security Team (if the issue is sensible [1] and you want them to forward it to
other vendors through vendor-sec).

Regards

Javier

[1] For sensible ask yourself these questions: is the software in wide use?
Is the security issue critical? (like a remote code execution or a local
privilege escalation to root) Are other vendors distributing this code in
their stable releases?

You can use the CVSS metric (http://www.first.org/cvss/) for guidance,
although just common sense might do too.

PS: Maybe we should update http://www.debian.org/security/audit/faq#reporting
with the above information, I don't think the Security team FAQ covers all
cases (i.e. when you find a security bug that does not affect stable)

Attachment: signature.asc
Description: Digital signature

_______________________________________________
Debian-audit mailing list
Debian-audit@xxxxxxxxxxxxx
http://shellcode.org/mailman/listinfo/debian-audit
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: I've got some free time and the skills, bannedit@xxxxxxxxxxxxxxx
Next by Date:  "Build Security In" portal, Javier Fernández-Sanguino Peña
Previous by Thread:  Re: I've got some free time and the skills, bannedit@xxxxxxxxxxxxxxx
Next by Thread:  "Build Security In" portal, Javier Fernández-Sanguino Peña
Indexes:  [Date] [Thread] [Top] [All Lists]

    ^^^ ADDITIONAL NAVIGATION ^^^

  
Google Custom Search

Recently Viewed:
emacs.dvc.devel...    java.displaytag...    ietf.rfc822/199...    linux.altlinux....    redhat.fedora.r...    python.ctypes/2...    video.panorama/...    freedesktop.xor...    audio.emagic.lo...    netbsd.devel.us...    documentation.t...    yellowdog.gener...    gnome.mono.mono...    bacula.user/200...    shells.bash.bug...    xfree86.devel/2...    culture.bicycle...    mozilla.devel.n...    web.squid.gener...    user-groups.gul...    kde.amarok.bugs...    org.user-groups...    handhelds.linux...    tex.context/200...   
Home | blog view, Court Document Archive | USPTO Patent Archive (NEW!) | advertise | OSDir is an inevitable website. super tiny logo