[Secure-testing-team] regarding issue checking, all new members read this
Nico Golde
debian-secure-testing+ml at ngolde.de
Sat May 9 16:55:34 UTC 2009
Hi,
it has come to my attention that there seems to be a common
misunderstanding on how we check new issues popping up.
The most recent example of this is the handling of
CVE-2008-6792. I really don't want to blame anyone as this
seems to be a misunderstanding, so don't get this mail
wrong.
If you commit to the security tracker and triaged a security
issue, make sure that your commit data is not based on the
CVE id description but on _research_.
This research includes reading the code, finding
fixes/commits in the upstream repository or even write
patches yourself if you have the time to do that. If you
can't assure that please add a TODO entry reflecting what is
missing from your research.
This is absolutely necessary to prevent integrating
false-positives or otherwise incorrect data in the security
tracker. People and especially the stable security team
losely bases (depending on the versions used in the
distribution) its decisions regarding stable security
updates on this data and a lot people require this data to
be correct (e.g. debsecan).
This also means that if the CVE id says that something is
vulnerable prior to version X you need to check if that is
the case as well as for the information given on
distro-specific issues. Always make sure you understand the
issue and are able to verify the information is correct.
While mitre tries to do their best on the issues there is
often something fishy with the descriptions, missing
references etc. If you are aware of an error, please also
contact mitre (or even better, write a mail to oss-sec).
I know this is a lot more work but this is necessary to make
sure we are not getting replaced by a small shell script.
Thanks for your attention! ;-P
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090509/14e32f01/attachment.pgp>
More information about the Secure-testing-team
mailing list