From 0d1c13f557ee88b766c0337780963e4c4888b3a3 Mon Sep 17 00:00:00 2001 From: Michael Gilbert Date: Sun, 13 Sep 2009 19:07:35 +0000 Subject: narrative_introduction - update on removed-packages file - clean up some formatting and grammar git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@12800 e39458fd-73e7-0310-bf30-c45bca0a0e42 --- doc/narrative_introduction | 35 ++++++++++++++++++++++++++++------- 1 file changed, 28 insertions(+), 7 deletions(-) (limited to 'doc/narrative_introduction') diff --git a/doc/narrative_introduction b/doc/narrative_introduction index 384d02910e..e7083b3a69 100644 --- a/doc/narrative_introduction +++ b/doc/narrative_introduction @@ -60,8 +60,8 @@ This will check out our working repository after asking for your alioth password twice. This is normal and to be expected. After successfully downloading, you will have a new directory called secure-testing. Inside this directory are a number of subdirectories. The data directory is -where we do most of our work. If you don't have Alioth account, you can -create one at: +where we do most of our work. If you don't have an Alioth account, you +can create one at: https://alioth.debian.org/account/register.php @@ -102,6 +102,7 @@ with the secure-testing repository: Automatic Issue Updates ----------------------- + Twice a day a cronjob runs that pulls down the latest full CVE lists from Mitre, this automatically gets checked into data/CVE/list, and also syncs that file with other lists like data/DSA/list and @@ -122,6 +123,7 @@ do this. Processing TODO entries ----------------------- + The Mitre update typically manifests in new CVE entries. So what we do is to update our svn repository and then edit data/CVE/list and look for new TODO entries. These will often be in blocks of 10-50 or so, @@ -149,6 +151,7 @@ IMPORTANT: make sure to read: http://lists.alioth.debian.org/pipermail/secure-te Issues Not-For-Us (NFU) ----------------------- + Processing your claimed entries is done by first seeing if the issue is related to any software packaged in Debian, if it isn't a package in Debian and has no ITP then you note that in the file. Another case @@ -175,6 +178,7 @@ but the package was removed Reserved entries ---------------- + Several security problems have coordinated dates of public disclosure, i.e. a CVE identifier has been assigned to a problem, but it's not public yet. Also, several vendors have a pool of CVE ids they can @@ -186,6 +190,7 @@ CVE-2005-1432 Rejected entries ---------------- + Sometimes there are CVE assignments that later turn out to be duplicates, mistakes or non-issues. These items are reverted and turned into REJECTED entries: @@ -195,6 +200,7 @@ CVE-2005-4129 ITP packages ------------ + If it is a package that someone has filed an RFP or ITP for, then that is also noted, so it can be tracked to make sure that the issue is resolved before the package enters the archive: @@ -206,6 +212,7 @@ in Serendipity ...) Packages in the archive ----------------------- + If it is a package in Debian, look to see if the package is affected or not (sometimes newer versions that have the fixes have already been uploaded). @@ -257,6 +264,9 @@ CVE-2004-2628 (Multiple directory traversal vulnerabilities in thttpd 2.07 beta is also used if a vulnerability was fixed before a package was uploaded into the Debian archive. +Removed packages +---------------- + Sometimes there are cases, where a vulnerability hasn't been fixed with a code change, but simply by deciding that a package is that broken that it needs to be removed from the archive entirely. This is tracked with @@ -265,11 +275,6 @@ the tag: CVE-2005-1435 (Open WebMail (OWM) before 2.51 20050430 allows remote authenticated ...) - openwebmail -After a new Debian release, some packages vanish from the database, -and consistency checks might fail. In this case, a single -entry needs to be added to an input file, or the package name should -be included in the data/packages/removed-packages file. - Also note that it is sufficient to mark a package as removed in unstable. The tracker is aware of which package is present in which distribution and marks other distributions that still contain the package automagically @@ -280,8 +285,16 @@ unstable, then: will track oldstable as affected, but stable and unstable as not-affected. +Once a package has been completely removed from all currently supported +debian releases, it should be tracked in the data/packages/removed-packages +file. This file lists all packages (one source package per line) that were +at one time in a debian release, but no longer exist in any supported +version. Additions to this file can be used to address failing consistency +checks after a new release. + Severity levels --------------- + These levels are mostly used to prioritize the order in which security problems are resolved. Anyway, we have a rough overview on how you should assess these levels. @@ -326,6 +339,7 @@ their importance. NOTE and TODO entries --------------------- + There are many instances where more work has to be done to determine if something is affected, and you might not be able to do this at the time. These entries can have their TODO line changed to something @@ -351,6 +365,7 @@ STABLE11 and ...) CVE assignments --------------- + Debian can only assign CVE names from its own pool for issues which are not public. To request a CVE from the Debian pool, write to and include a description which follows CVE @@ -374,6 +389,7 @@ cross-referenced advisories nevertheless. Distribution tags ----------------- + Our data is primarily targeted at sid, as we track the version that a certain issue was fixed in sid. The Security Tracker web site (see below) derives information about the applicability of a vulnerability @@ -392,6 +408,7 @@ which isn't part of Sarge. Generated Reports ----------------- + All of this tracking information gets automatically parsed and compared against madison to determine what has been fixed and what is still waiting, this results in this website: @@ -425,6 +442,7 @@ For every security problem it displays The DSA list ------------ + We maintain a list of all DSA advisories issued by the stable security team. This information is used to derive information about the state of security problems for the stable and oldstable distribution. An @@ -458,6 +476,7 @@ You should not blindly trust the script output and double-check it, though. Checking your changes --------------------- + Commits are checked for syntax errors before they are actually committed, and you'll receive an error and your commit is aborted if it is in error. To check your changes yourself beforehand, use "make check-syntax" from @@ -465,6 +484,7 @@ the root of the svn directory. Following up on security issues ------------------------------- + By simply loading this page and doing a little gardening of the different issues many things can be done. One thing is that you can read all the bug reports of each issue and see if new information has @@ -499,6 +519,7 @@ usertag $BUGNUM + tracked IRC Channel ----------- + We hang-out on #debian-security on OFTC, stop by the IRC channel if you'd like, also we can add you to the alioth project so you have svn write permission and you can test drive it on the testing issues for -- cgit v1.2.3