[arch-security] How to properly report vulnerabilities
Should I open a bug report saying that e.g. some Arch package has certain vulnerability, mark the report as critical and wait for someone to set it as private? How do we deal with such sensitive information? I've looked in the wiki, but neither https://wiki.archlinux.org/index.php/Arch_CVE_Monitoring_Team nor https://wiki.archlinux.org/index.php/CVE-2014 has any info on this.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello Karol, The "procedure" section of [1] says that. However, it only pertains ACMT members. I think any other user could do the same. [1] https://wiki.archlinux.org/index.php/Arch_CVE_Monitoring_Team Regards, Noel Kuntze GPG Key id: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 28.06.2014 18:23, schrieb Karol Blazewicz:
Should I open a bug report saying that e.g. some Arch package has certain vulnerability, mark the report as critical and wait for someone to set it as private? How do we deal with such sensitive information?
I've looked in the wiki, but neither https://wiki.archlinux.org/index.php/Arch_CVE_Monitoring_Team nor https://wiki.archlinux.org/index.php/CVE-2014 has any info on this.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTru48AAoJEDg5KY9j7GZYoE4P/2wtxFqIDkE0nm5y1saORThy A7eI91nrMhZ4hOlUNc3oa0FHdgocxP3zNnIj/iMpxwNOoFt3FLBfKwWsLzNBJFEE Lwrg8dwIW+QaGZ9PXVZTHc7J+cmbDqyQzFDsB8q7lmJu+2z9DeChePjh9gZhwelb n16sbUccK84EWxQpD7Gml+1skraimm8nu7ibGy6xL6y96Wwufyp26kIGxZbRxX0q m4bLdtG3++HcsrgTZHwPNjKvT8MiVDlyReLWdRbIzLpWCoBIVFU6uL7PK1wVYYqX 4s1yvkf57h4Dy715vq4qxbgEd5hmuPE06EjB1A+2Jv64e+O4ijca1xlXdebr1BFP W7WA01jgICbMW4qcP1e2zlXqDwYKFJn/sodgIPO0nc28oetco1CXdXHMd/yVKFfR Aj7a6DQfudO8XWNgiuXRHahrlTEEbCNBREP2OTqO5sQE4hftwBPlE7XcDfTu/8NG IVPfJ6GIhaflJrPP+nMsm3FPQjQ+L3eK4hANEurzUwH4FXZkoA8OwGDEuv4jXZF1 PLzvMNmwthCdj+6D8jSjoJ2Pg44SXp1if+cwTIrBlMLIpGGUcoP9RmUSRPpdlD/o geifBrjtkfWqNwZiGzL8uKny8co0g5VC0Rle8wj/ngCOruzud7k3qzL8BiRn1mFB yuxOjnh1TbrHQSOg2IFy =wNiw -----END PGP SIGNATURE-----
On 29/06/14 02:23, Karol Blazewicz wrote:
Should I open a bug report saying that e.g. some Arch package has certain vulnerability, mark the report as critical and wait for someone to set it as private? How do we deal with such sensitive information?
I've looked in the wiki, but neither https://wiki.archlinux.org/index.php/Arch_CVE_Monitoring_Team nor https://wiki.archlinux.org/index.php/CVE-2014 has any info on this.
If you have a private bug to report, then use security@archlinux.org. If the bug is public, just file a bug report. Allan
On Sat, Jun 28, 2014 at 11:35 PM, Allan McRae <allan@archlinux.org> wrote:
On 29/06/14 02:23, Karol Blazewicz wrote:
Should I open a bug report saying that e.g. some Arch package has certain vulnerability, mark the report as critical and wait for someone to set it as private? How do we deal with such sensitive information?
I've looked in the wiki, but neither https://wiki.archlinux.org/index.php/Arch_CVE_Monitoring_Team nor https://wiki.archlinux.org/index.php/CVE-2014 has any info on this.
If you have a private bug to report, then use security@archlinux.org. If the bug is public, just file a bug report.
Allan
Should I add a warning to the wiki not to report private bugs to the bug tracker but to the ML?
|| Should I add a warning to the wiki not to report private bugs to the || bug tracker but to the ML? I would encourage you to. It need not be listed as a"warning." A special section added to the Procedure section, in my opinion, would be sufficient. Thanks for your efforts, Karol BW -- Billy Wayne McCann, Ph.D. irc://irc.freenode.net:bwayne "A rich man will always desire what his wealth cannot acquire." ~ Faust (Goethe)
Also, recall Alan's instructions. Do not post private bugs to the ML, as the ML itself is open, IIRC. Use the email that Alan provided. ||If you have a private bug to report, then use security@archlinux.org. -- Billy Wayne McCann, Ph.D. irc://irc.freenode.net:bwayne "A rich man will always desire what his wealth cannot acquire." ~ Faust (Goethe) On Sun, Jul 6, 2014 at 10:52 AM, Billy McCann <thebillywayne@gmail.com> wrote:
|| Should I add a warning to the wiki not to report private bugs to the || bug tracker but to the ML?
I would encourage you to. It need not be listed as a"warning." A special section added to the Procedure section, in my opinion, would be sufficient.
Thanks for your efforts, Karol
BW
-- Billy Wayne McCann, Ph.D. irc://irc.freenode.net:bwayne "A rich man will always desire what his wealth cannot acquire." ~ Faust (Goethe)
On Sun, Jul 6, 2014 at 6:30 PM, Billy McCann <thebillywayne@gmail.com> wrote:
Also, recall Alan's instructions. Do not post private bugs to the ML, as the ML itself is open, IIRC. Use the email that Alan provided.
||If you have a private bug to report, then use security@archlinux.org.
I think security@archlinux.org is a ML as well. I wasn't referring to the arch-security ML, but it wasn't clear from my e-mail. Sorry about it.
On Sun, Jul 6, 2014 at 10:52 AM, Billy McCann <thebillywayne@gmail.com> wrote:
|| Should I add a warning to the wiki not to report private bugs to the || bug tracker but to the ML?
I would encourage you to. It need not be listed as a"warning." A special section added to the Procedure section, in my opinion, would be sufficient.
Done: https://wiki.archlinux.org/index.php?title=Arch_CVE_Monitoring_Team&diff=323962&oldid=320604
|| Done: https://wiki.archlinux.org/index.php?title=Arch_CVE_Monitoring_Team&diff=323962&oldid=320604 Great work.
participants (4)
-
Allan McRae
-
Billy McCann
-
Karol Blazewicz
-
Noel Kuntze