[Secure-testing-team] resolving hard TODOs

Thu Mar 3 00:45:57 UTC 2005

Here is the email that I prepared to ask for help, please review to
see if there are things missing, should be taken out, or changed. I
tried to make it fun so people would read it, but maybe it crosses a
line I am not aware of.

I was thinking of sending this to debian-devel, but perhaps it should
also be sent to debian-security.

I also need to figure out if people should send their suggestions to
secure-testing-team at lists.alioth.debian.org, or should the discussion
happen organically on the lists and then we can just collate any stray
information from there?

Thoughts?

Hello,

The Debian Testing Security Team[1] is in need of the larger community's
brain to help identify some difficult sarge security problems that are
sticking points in getting ready for release.

Contents of this message:
	Intro
	Background information
	How can I leverage my powerful brain to help sarge release?
	Let the games begin!
	This is fun, how else can I help?
	What do I win? huh? Huh?!

Background information
----------------------

The first thing the Debian Testing Security Team did was to check all
security holes since the release of Debian 3.0 to ensure that all the
holes are fixed in Sarge.

Now that this has finished, we are busy checking to make sure that
security problems that have already been fixed in unstable and stable
do not continue to affect testing, as well as dealing with new holes
as they are made known. Every day we get an updated list of Mitre's
comprehensive list of known security problems, known affectionatly as
CAN numbers[2]. We go through old CANs as well as these new CANs and
check changelogs, advisories, test proof-of-conecpts, whatever is
needed to confidently determine whether sarge is vulnerable or not. We
then record our findings in our file and file bugs, write patches,
do NMUs as necessary, track fixed packages and work with the Debian
Release Managers to make sure fixes reach testing quickly. The
result of this is the web page[2] which shows how many holes are
unfixed (that we know of) in testing, as well as indicates how many
unprocessed TODO items are still remaining for us to process.[4]

How can I leverage my powerful brain to help sarge release?
-----------------------------------------------------------

I'm glad you asked! Your brain is much bigger than our individual
brains, so we need the collective help of everyone to brainstorm 
solutions to some difficult remaining CANs.

There are a few CANs that are pretty vague in their broad
applicability, they potentially cover a number of packages and we need
help figuring out which packages those would be. Bonus points if you
can tell us if the package is affected by its associated CAN, extra
bonus points if you tell us the bug number that you filed to alert the
package maintainer of the security hole, tagged it security and added
a patch (if you can, you'll still get bonus points if you dont have
the patch). So without further ado, here they are, if you have any
information that can help us, please send it to ???

Let the games begin!
--------------------

1. What packages contain X.400 (CAN-2003-0565)[5]?

2. What packages contain S/MIME besides mozilla, because the current
version (mozilla 2:1.7.3) contains safe NSS 3.9.1 (CAN-2003-0564)[6]?

3. What packages modify JPEG images (CAN-2005-0406)[7]?

4. What packages contain libtiff code, besides libtiff4 3.6.1-4 which is
not affected due to DSA-617-1? (CAN-2004-1308)[8]?

5. What ftp programs are affected by directory traversal
vulnerabilities (CAN-2002-1345)[9]?

6. What packages in Debian are SMTP mailscanners that can be
potentially bypassed by fragmenting messages (CAN-2002-1121)[10].

7. Is our xpdf vulnerable to CAN-2005-0206[11]?

This is fun, how else can I help?
---------------------------------

Glad you asked! Any Debian developers with an interest in
participating are welcome to join the team, and we also welcome others
who have the skills and desire to help us. The team can be contacted
through its mailing list[12]. There is a second mailing
list[13] that receives commit messages to our repository. An alioth
project page[1] is also available. Have a read of this message[14] if
you are interested in participating, the details are there about how
to start helping check CANs on a regular basis.

What do I win? huh? Huh?!
-------------------------

You get a random little sticker that says either:

"I donated to Sarge today!" or
"What did YOU do to help Sarge release today?" or 
"Ask me why Sarge hasn't released yet!" or
"What are you lookin' at? I'm part of the solution!"

Ok, just kidding, but you also get our gratitude, these are annoying
and difficult. Thanks.

[1] http://secure-testing.alioth.debian.org/
[2] http://cve.mitre.org/cve/candidates/downloads/full-can.html
[3] http://merkel.debian.org/~joeyh/testing-security.html
[4] An alternate page tracks archive changes more quickly, but may be
inaccurate due to bugs in madison on newraff is here:
http://newraff.debian.org/~joeyh/testing-security.html 
[5]http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0565
[6]http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0564
[7]http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0406
[8]http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1308
[9]http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1345
[10]http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1121
[11]http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0206
[12]http://secure-testing.alioth.debian.org/secure-testing-team@lists.alioth.debian.org
[13]http://secure-testing.alioth.debian.org/secure-testing-commits@lists.alioth.debian.org
[14]http://lists.debian.org/debian-security/2004/10/msg00166.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050302/410632eb/attachment.pgp