Hi all,
A recent discussion on the #archlinux-security IRC channel led to the
proposal of posting security announcements to the arch-security
mailing-list every time a vulnerability concerning an Arch Linux package
is disclosed, as other distributions are already doing [1][2].
The final goal is to be able to notify Arch users that they may need to
quickly upgrade a specific package due to a vulnerability. In order to
do so efficiently, I believe we need to think of a way for package
maintainers to notify the Arch Linux CVE Monitoring Team (or whoever
handling advisories) when they upgrade a package due to a specific
security issue (if they are aware of it, of course).
This would be complementary to the role of the CVE Monitoring Team,
which is to monitor CVE and let package maintainers know when a package
need to be upgraded / patched to fix a vulnerability.
Based on an idea by Bluewind, I made the following template for
advisories, and will be sending an advisory for the recent NSS
vulnerability as an example in the next few minutes. Any comment to the
idea of security advisories and/or this template are welcome.
Best regards,
Remi
[1] https://lists.debian.org/debian-security-announce/
[2] http://www.gentoo.org/security/en/glsa/index.xml
Template:
Subject:
[Arch Linux Security Advisory <YYYYMM-N>] <Package>: <Vulnerability Type>
Body:
Arch Linux Security Advisory YYYYMM-N
=====================================
Severity: Low, Medium, High, Critical
Date : YYYY-MM-DD
CVE-ID : <CVE-ID>
Package : <package>
Type : <Vulnerability Type>
Remote :
.
References ========== <CVE-Link> <Upstream report> <Arch Linux Bug-Tracker>