Hi all, A recent discussion on the #archlinux-security IRC channel led to the proposal of posting security announcements to the arch-security mailing-list every time a vulnerability concerning an Arch Linux package is disclosed, as other distributions are already doing [1][2]. The final goal is to be able to notify Arch users that they may need to quickly upgrade a specific package due to a vulnerability. In order to do so efficiently, I believe we need to think of a way for package maintainers to notify the Arch Linux CVE Monitoring Team (or whoever handling advisories) when they upgrade a package due to a specific security issue (if they are aware of it, of course). This would be complementary to the role of the CVE Monitoring Team, which is to monitor CVE and let package maintainers know when a package need to be upgraded / patched to fix a vulnerability. Based on an idea by Bluewind, I made the following template for advisories, and will be sending an advisory for the recent NSS vulnerability as an example in the next few minutes. Any comment to the idea of security advisories and/or this template are welcome. Best regards, Remi [1] https://lists.debian.org/debian-security-announce/ [2] http://www.gentoo.org/security/en/glsa/index.xml Template: Subject: [Arch Linux Security Advisory <YYYYMM-N>] <Package>: <Vulnerability Type> Body: Arch Linux Security Advisory YYYYMM-N ===================================== Severity: Low, Medium, High, Critical Date : YYYY-MM-DD CVE-ID : <CVE-ID> Package : <package> Type : <Vulnerability Type> Remote : <Yes/No> Link : https://wiki.archlinux.org/index.php/CVE-YYYY Summary ======= The package <package> before version <Arch Linux fixed version> is vulnerable to <Vulnerability type>. Resolution ========== Upgrade to <Arch Linux fixed version>. The problem has been fixed upstream in version <upstream fixed version>. Workaround ========== <Is there a way to mitigate this vulnerability without upgrading?> Description =========== <Long description, for example from original advisory>. Impact ====== < What is it that an attacker can do? Does this need existing pre-conditions to be exploited (valid credentials, physical access)? Is this remotely exploitable?
.
References ========== <CVE-Link> <Upstream report> <Arch Linux Bug-Tracker>