From Fedora Project Wiki

(Added links to filter for unowned bugs in BZ.)
mNo edit summary
Line 1: Line 1:
The Fedora Security Team's mission is to help get security fixes into Fedora's repositories as soon as possible to help protect the end users.
== Mission ==
 
    <code>To provide utmost secure operating environment to the Fedora users.</code>
{|width=100%
! width=20% | IRC Channel
| {{fpchat|#fedora-security-team}} <BR> {{fpchat|#fedora-security}}
|-
! Mailing List
| {{fplist|security-team}} - Security Team mailing list <BR> {{fplist|security}} - General security mailing list (good for questions)
|-
! Meetings
| [[Security_Team_meetings|Schedule and Agenda]]
|-
! Current issues
| [https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2661454&priority=urgent&query_format=advanced Critical Vulnerabilities] - [https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&f1=status_whiteboard&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2661454&o1=notsubstring&priority=urgent&query_format=advanced&v1=fst_owner%3D Unowned] <BR> [https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2661457&priority=high&query_format=advanced Important Vulnerabilities] - [https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&f1=status_whiteboard&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2661457&o1=notsubstring&priority=high&query_format=advanced&v1=fst_owner%3D Unowned] <BR> [https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2661461&priority=medium&query_format=advanced Moderate Vulnerabilities] - [https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&f1=status_whiteboard&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2661461&o1=notsubstring&priority=medium&query_format=advanced&v1=fst_owner%3D Unowned] <BR> [https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2661462&priority=low&query_format=advanced Low Vulnerabilities] - [https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&f1=status_whiteboard&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2661462&o1=notsubstring&priority=low&query_format=advanced&v1=fst_owner%3D Unowned] <BR> [https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2661465&priority=unspecified&query_format=advanced Unknown Vulnerabilities] - [https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&f1=status_whiteboard&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2661465&o1=notsubstring&priority=unspecified&query_format=advanced&v1=fst_owner%3D Unowned] <BR> [https://bugzilla.redhat.com/buglist.cgi?bug_status=POST&bug_status=MODIFIED&bug_status=ON_DEV&bug_status=ON_QA&classification=Fedora&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2719448&priority=unspecified&priority=urgent&priority=high&priority=medium&priority=low&query_format=advanced Bugs in MODIFIED, ON_DEV, ON_QA states] - [https://bugzilla.redhat.com/buglist.cgi?bug_status=POST&bug_status=MODIFIED&bug_status=ON_DEV&bug_status=ON_QA&classification=Fedora&f1=status_whiteboard&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2719448&o1=notsubstring&priority=unspecified&priority=urgent&priority=high&priority=medium&priority=low&query_format=advanced&v1=fst_owner%3D Unowned]
|}


== How ==
== How ==
Red Hat Product Security opens bugs in response to [https://cve.mitre.org/ CVEs] that get reported by MITRE. A CVE bug is opened along with any tracker bugs that are opened against the individual packages. The tracking bug notifies the package owner of the vulnerability.  Generally speaking, the package owner should follow up with upstream to obtain a patch or the fixed source to push out to the repositories.
Fedora Security Team aims to ensure that users are protected from any vulnerabilities that exist in Fedora packages. The vulnerabilities are reported to Fedora package maintainers via [https://bugzilla.redhat.com/ Bugzilla].
These bugs are marked with '''keywords: security''' attribute in Bugzilla, for ex. => [https://bugzilla.redhat.com/show_bug.cgi?id=838761 ndjbdns vulnerable to cve-2012-1191(ghost domain attack)]. The package maintainer then follows up with the upstream developers to obtain a patch or a new release which fixes the issue. Once such patch or a new release is available, package maintainer then builds a new version of the Fedora package and submits an update to the Fedora repositories via [https://admin.fedoraproject.org/updates/ Bodhi].


The problem is that many package owners either don't have time or they don't understand the need of the tracking bug. That's where the Security Team comes in to help. We work with upstream to obtain the fixes and then provide them to the packagers via the tracking bug.  We also work with packagers to help them get these fixes into the repositories.
It is a fairly straight forward process. But the problems arise when package maintainers either don't understand the issue or are too busy to triage it in time. That is where the Fedora Security Team comes in to help. We work with the upstream developers to obtain the security fixes and help packager maintainers to push these fixes to the Fedora repositories.


=== Work Flow ===
=== Work Flow ===
Line 39: Line 27:


For multiple FST owners FAS IDs should be comma-separated and NOT contain spaces.
For multiple FST owners FAS IDs should be comma-separated and NOT contain spaces.
{|width=100%
! width=20% | IRC Channel
| {{fpchat|#fedora-security-team}} <BR> {{fpchat|#fedora-security}}
|-
! Mailing List
| {{fplist|security-team}} - Security Team mailing list <BR> {{fplist|security}} - General security mailing list (good for questions)
|-
! Meetings
| [[Security_Team_meetings|Schedule and Agenda]]
|-
! Current issues
| [https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2661454&priority=urgent&query_format=advanced Critical Vulnerabilities] - [https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&f1=status_whiteboard&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2661454&o1=notsubstring&priority=urgent&query_format=advanced&v1=fst_owner%3D Unowned] <BR> [https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2661457&priority=high&query_format=advanced Important Vulnerabilities] - [https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&f1=status_whiteboard&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2661457&o1=notsubstring&priority=high&query_format=advanced&v1=fst_owner%3D Unowned] <BR> [https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2661461&priority=medium&query_format=advanced Moderate Vulnerabilities] - [https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&f1=status_whiteboard&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2661461&o1=notsubstring&priority=medium&query_format=advanced&v1=fst_owner%3D Unowned] <BR> [https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2661462&priority=low&query_format=advanced Low Vulnerabilities] - [https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&f1=status_whiteboard&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2661462&o1=notsubstring&priority=low&query_format=advanced&v1=fst_owner%3D Unowned] <BR> [https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2661465&priority=unspecified&query_format=advanced Unknown Vulnerabilities] - [https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&f1=status_whiteboard&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2661465&o1=notsubstring&priority=unspecified&query_format=advanced&v1=fst_owner%3D Unowned] <BR> [https://bugzilla.redhat.com/buglist.cgi?bug_status=POST&bug_status=MODIFIED&bug_status=ON_DEV&bug_status=ON_QA&classification=Fedora&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2719448&priority=unspecified&priority=urgent&priority=high&priority=medium&priority=low&query_format=advanced Bugs in MODIFIED, ON_DEV, ON_QA states] - [https://bugzilla.redhat.com/buglist.cgi?bug_status=POST&bug_status=MODIFIED&bug_status=ON_DEV&bug_status=ON_QA&classification=Fedora&f1=status_whiteboard&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2719448&o1=notsubstring&priority=unspecified&priority=urgent&priority=high&priority=medium&priority=low&query_format=advanced&v1=fst_owner%3D Unowned]
|}


== Hall of Fame ==
== Hall of Fame ==

Revision as of 09:55, 18 September 2014

Mission

   To provide utmost secure operating environment to the Fedora users.

How

Fedora Security Team aims to ensure that users are protected from any vulnerabilities that exist in Fedora packages. The vulnerabilities are reported to Fedora package maintainers via Bugzilla. These bugs are marked with keywords: security attribute in Bugzilla, for ex. => ndjbdns vulnerable to cve-2012-1191(ghost domain attack). The package maintainer then follows up with the upstream developers to obtain a patch or a new release which fixes the issue. Once such patch or a new release is available, package maintainer then builds a new version of the Fedora package and submits an update to the Fedora repositories via Bodhi.

It is a fairly straight forward process. But the problems arise when package maintainers either don't understand the issue or are too busy to triage it in time. That is where the Fedora Security Team comes in to help. We work with the upstream developers to obtain the security fixes and help packager maintainers to push these fixes to the Fedora repositories.

Work Flow

  1. Find a bug (use one of the above links to find an open bug)
  2. Own the bug
  3. Determine if the vulnerability is already fixed in Fedora by examining the current version and/or talking with the packager
  4. Work with upstream to obtain a patch or version where fixed
  5. Work with packager to get patch or fixed version packaged and pushed as a security update
  6. Close bug when vulnerability is addressed in Fedora repos.
  7. Do a little dance.
  8. GOTO 1

Taking ownership of tracking bugs

Each tracking bug we work on should have a person who owns it for several reasons. It would certainly be inefficient if the work was done twice, and collisions and misunderstandings might occur if two people tried to coordinate fix with upstream and packagers independently. For these reasons, we should indicate the fact we are working on the tracking bug by filling the Whiteboard of the bug with bugzilla login of the owner:

   Whiteboard: fst_owner=<owner>,[<owner2>,<owner3>]

As <owner> FAS ID should be used, as it simplifies further management.. For the list of bugzilla logins of Fedora Security Team see the Security Team Roster.

For multiple FST owners FAS IDs should be comma-separated and NOT contain spaces.

IRC Channel #fedora-security-team[?]
#fedora-security[?]
Mailing List security-team - Security Team mailing list
security - General security mailing list (good for questions)
Meetings Schedule and Agenda
Current issues Critical Vulnerabilities - Unowned
Important Vulnerabilities - Unowned
Moderate Vulnerabilities - Unowned
Low Vulnerabilities - Unowned
Unknown Vulnerabilities - Unowned
Bugs in MODIFIED, ON_DEV, ON_QA states - Unowned

Hall of Fame

Getting Involved

Getting involved in the FST is easy. First, subscribe to the security-team mailing list. Next, join us in the #fedora-security-team[?] IRC channel. Finally, read the work flow and jump in. If you have questions please asking them on IRC or on the list.