From 44461ec4603732b218dc54824eb0bf671c039eaa Mon Sep 17 00:00:00 2001 From: Neil Williams Date: Wed, 16 Feb 2022 07:44:02 +0000 Subject: Update for review comments --- doc/security-team.d.o/security_tracker | 28 +++++++++++++--------------- 1 file changed, 13 insertions(+), 15 deletions(-) diff --git a/doc/security-team.d.o/security_tracker b/doc/security-team.d.o/security_tracker index e7a5e079bb..562d8cbf80 100644 --- a/doc/security-team.d.o/security_tracker +++ b/doc/security-team.d.o/security_tracker @@ -25,10 +25,6 @@ For example, systems with some additional or modified packages compared to Debia a separate triage process for every NFU to find ones which are relevant to what has been added as well as a triage on packages which differ from Debian. -When a vulnerability relates to a package, the triage will need to include an -assessment of the severity of the vulnerability as it affects Debian. See [Severity -levels](#security-levels). - Entries in the Debian Security Tracker do not imply anything about how a vulnerability may affect systems other than Debian. @@ -437,12 +433,10 @@ assess these levels. Certain packages may get higher or lower rating than usual, based on their importance. -Assessments of severity are made against the binaries as provided by Debian. A -vulnerability where an exploit would rely on changing configuration in a non-standard -way or rebuilding the binary from source to enable|disable some feature is not -considered to be of high severity. For each vulnerability, the severity assigned within -the Debian Security Tracker only relates to how Debian views that vulnerability and how -quickly the fix may need to be applied to the specified package(s) within Debian. +Assessments of severity are made against the binaries as provided by Debian. For each +vulnerability, the severity assigned within the Debian Security Tracker only relates to +how Debian views that vulnerability and how quickly the fix may need to be applied to +the specified package(s) within Debian. ### Vulnerabilities without an assigned CVE id @@ -569,8 +563,8 @@ Summary of tracker syntax For a vulnerability in a package in Debian or proposed for introduction into Debian, the syntax should contain at least the `PKG_NAME` tabbed line and a `NOTE:` providing a -URL to the fixing commit. Other lines are added, where relevant, within the general -syntax. +URL to useful references, like commit references, bug tracker entries and advisories. +Other lines are added, where relevant, within the general syntax. CVE-YYYY-NNNNNN [(description)] \t RESERVED @@ -588,7 +582,10 @@ syntax. - The pre-commit hook will check the syntax of each entry. The description of the CVE is not edited in the security tracker but it will be -shortened in the tracker page for the vulnerability. +shortened in the tracker page for the vulnerability. A temporary description can be +added with the `[description]` syntax, for example for clarification. This will not be +overridden by an automatic update unless there is a change in the description of the +CVE in the MITRE feed For ``, the comment needs to include the bug number as `(bug #NNNNNNNNNN)`. @@ -604,8 +601,9 @@ mailing list and IRC notifications (see [Automatic issue updates](#automatic-iss However, changes to the tracker website itself (e.g., the files in `lib/*` and `bin/tracker_service.py`) should be vetted and approved before being committed. The preferred way to do this is to send a patch to the -`debian-security-tracker@lists.debian.org` mailing list. +`debian-security-tracker@lists.debian.org` mailing list or a merge request in Salsa. +- [Salsa](https://salsa.debian.org/security-tracker-team/security-tracker/) - [https://lists.debian.org/debian-security-tracker/](https://lists.debian.org/debian-security-tracker/) Commits are checked for syntax errors before they are actually committed, @@ -733,7 +731,7 @@ project. * `./bin/report-vuln` - generate the correct email body to report a bug against a source package relating to an unfixed CVE(s). -### Useful search support for checking new CVES +### Useful search support for checking new CVEs - [https://www.debian.org/distrib/packages#search_packages](https://www.debian.org/distrib/packages#search_packages) - [https://wnpp.debian.net/](https://wnpp.debian.net/) (Be aware, forwarded ITPs might -- cgit v1.2.3