From Fedora Project Wiki

(Bold header sentence)
(Added text from main page and reorganized the headers.)
Line 1: Line 1:
'''This is the work flow for helping fix security bugs in Fedora and EPEL.'''
== Assisting with Vulnerability Patching ==
This is the work flow for helping fix security bugs in Fedora and EPEL.


# Select an open security bug from -> [https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&keywords=Security%2C%20SecurityTracking%2C%20&query_format=advanced Open issues].
# Select an open security bug from -> [https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&keywords=Security%2C%20SecurityTracking%2C%20&query_format=advanced Open issues].
# [[Security_Team#Bug_Ownership|Own the bug]].
# [[Security_Team_Work_Flow#Bug_Ownership|Own the bug]].
# Examine the bug details and validate if it is really a security issue.
# Examine the bug details and validate if it is really a security issue.
# Determine if a fix is available and if the vulnerability is already fixed in Fedora by examining the current version and/or talking with the package maintainer.
# Determine if a fix is available and if the vulnerability is already fixed in Fedora by examining the current version and/or talking with the package maintainer.
Line 10: Line 11:


If you run into a [[Policy_for_nonresponsive_package_maintainers | nonresponsive package maintainer]] we follow Release Engineering policy to overcome these issues.
If you run into a [[Policy_for_nonresponsive_package_maintainers | nonresponsive package maintainer]] we follow Release Engineering policy to overcome these issues.
=== Bug Ownership ===
Each tracking bug should have an owner for several reasons. It would certainly be inefficient if the work was done twice. Collisions and misunderstandings might occur if two people tried to coordinate a fix with an upstream developer independently. For these reasons, we should indicate the fact that we are working on the tracking bug by filling the Whiteboard of the bug with Bugzilla user name of the owner:
    Whiteboard: fst_owner=<owner>,[<owner2>,<owner3>]
As <owner> FAS ID should be used; It simplifies further management. For the list of Bugzilla user names of the Fedora Security Team see the [[Security Team Roster]].
'''Note: For multiple FST owners FAS IDs should be comma-separated and NOT contain spaces.'''
=== Bugzilla Links ===
* '''Open issues'''
** [https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2661454&priority=urgent&query_format=advanced Critical Vulnerabilities] [https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&f1=priority&f2=bug_severity&j_top=OR&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=4282241&o1=substring&o2=substring&query_format=advanced&status_whiteboard=fst_owner%3D&status_whiteboard_type=notregexp&v1=urgent&v2=urgent Unowned]
** [https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2661457&priority=high&query_format=advanced Important Vulnerabilities] [https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&f1=priority&f2=bug_severity&j_top=OR&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=4282241&o1=substring&o2=substring&query_format=advanced&status_whiteboard=fst_owner%3D&status_whiteboard_type=notregexp&v1=high&v2=high Unowned]
** [https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2661461&priority=medium&query_format=advanced Moderate Vulnerabilities] [https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&f1=priority&f2=bug_severity&j_top=OR&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=4282241&o1=substring&o2=substring&query_format=advanced&status_whiteboard=fst_owner%3D&status_whiteboard_type=notregexp&v1=medium&v2=medium Unowned]
** [https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2661462&priority=low&query_format=advanced Low Vulnerabilities] [https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&f1=priority&f2=bug_severity&j_top=OR&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=4282241&o1=substring&o2=substring&query_format=advanced&status_whiteboard=fst_owner%3D&status_whiteboard_type=notregexp&v1=low&v2=low Unowned]
** [https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2661465&priority=unspecified&query_format=advanced Unknown Vulnerabilities] [https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&f1=priority&f2=bug_severity&j_top=OR&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=4282241&o1=substring&o2=substring&query_format=advanced&status_whiteboard=fst_owner%3D&status_whiteboard_type=notregexp&v1=unspecified&v2=unspecified Unowned]
** [https://bugzilla.redhat.com/buglist.cgi?bug_status=POST&bug_status=MODIFIED&bug_status=ON_DEV&bug_status=ON_QA&classification=Fedora&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2719448&priority=unspecified&priority=urgent&priority=high&priority=medium&priority=low&query_format=advanced Bugs in MODIFIED, ON_DEV, ON_QA states] [https://bugzilla.redhat.com/buglist.cgi?bug_status=POST&bug_status=MODIFIED&bug_status=ON_DEV&bug_status=ON_QA&classification=Fedora&f1=status_whiteboard&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2719448&o1=notsubstring&priority=unspecified&priority=urgent&priority=high&priority=medium&priority=low&query_format=advanced&v1=fst_owner%3D Unowned]
== Working with newly reported vulnerabilities ==
TBD
== Code Review ==
TBD
<!--
== Tools/Resources ==
* [http://rootkit.nl/projects/lynis.html lynis]
* [http://www.trapkit.de/tools/checksec.html checksec]
* [https://docs.fedoraproject.org/en-US/Fedora_Security_Team/html/Defensive_Coding/index.html Defensive coding]
* [https://fedorahosted.org/scap-security-guide/ SCAP Security Guide]
* [http://people.redhat.com/sgrubb/security/ Security Assessment Tools/Scripts]
* [https://fedoraproject.org/wiki/Policy_for_nonresponsive_package_maintainers Nonresponsive Package Maintainers Policy]
-->


[[Category:Security Team]]
[[Category:Security Team]]

Revision as of 17:04, 19 August 2016

Assisting with Vulnerability Patching

This is the work flow for helping fix security bugs in Fedora and EPEL.

  1. Select an open security bug from -> Open issues.
  2. Own the bug.
  3. Examine the bug details and validate if it is really a security issue.
  4. Determine if a fix is available and if the vulnerability is already fixed in Fedora by examining the current version and/or talking with the package maintainer.
  5. If a fix is not available, work with the upstream developers via bug tracking/mailing list/IRC channels to obtain a patch or new version which fixes the issue.
  6. Work with the package maintainer to get patch or fixed version packaged and pushed as a security update.
  7. GOTO 1;

If you run into a nonresponsive package maintainer we follow Release Engineering policy to overcome these issues.

Bug Ownership

Each tracking bug should have an owner for several reasons. It would certainly be inefficient if the work was done twice. Collisions and misunderstandings might occur if two people tried to coordinate a fix with an upstream developer independently. For these reasons, we should indicate the fact that we are working on the tracking bug by filling the Whiteboard of the bug with Bugzilla user name of the owner:

   Whiteboard: fst_owner=<owner>,[<owner2>,<owner3>]

As <owner> FAS ID should be used; It simplifies further management. For the list of Bugzilla user names of the Fedora Security Team see the Security Team Roster.

Note: For multiple FST owners FAS IDs should be comma-separated and NOT contain spaces.

Bugzilla Links

Working with newly reported vulnerabilities

TBD

Code Review

TBD