[arch-security] Arch Linux Security Advisories
Hi all, A recent discussion on the #archlinux-security IRC channel led to the proposal of posting security announcements to the arch-security mailing-list every time a vulnerability concerning an Arch Linux package is disclosed, as other distributions are already doing [1][2]. The final goal is to be able to notify Arch users that they may need to quickly upgrade a specific package due to a vulnerability. In order to do so efficiently, I believe we need to think of a way for package maintainers to notify the Arch Linux CVE Monitoring Team (or whoever handling advisories) when they upgrade a package due to a specific security issue (if they are aware of it, of course). This would be complementary to the role of the CVE Monitoring Team, which is to monitor CVE and let package maintainers know when a package need to be upgraded / patched to fix a vulnerability. Based on an idea by Bluewind, I made the following template for advisories, and will be sending an advisory for the recent NSS vulnerability as an example in the next few minutes. Any comment to the idea of security advisories and/or this template are welcome. Best regards, Remi [1] https://lists.debian.org/debian-security-announce/ [2] http://www.gentoo.org/security/en/glsa/index.xml Template: Subject: [Arch Linux Security Advisory <YYYYMM-N>] <Package>: <Vulnerability Type> Body: Arch Linux Security Advisory YYYYMM-N ===================================== Severity: Low, Medium, High, Critical Date : YYYY-MM-DD CVE-ID : <CVE-ID> Package : <package> Type : <Vulnerability Type> Remote : <Yes/No> Link : https://wiki.archlinux.org/index.php/CVE-YYYY Summary ======= The package <package> before version <Arch Linux fixed version> is vulnerable to <Vulnerability type>. Resolution ========== Upgrade to <Arch Linux fixed version>. The problem has been fixed upstream in version <upstream fixed version>. Workaround ========== <Is there a way to mitigate this vulnerability without upgrading?> Description =========== <Long description, for example from original advisory>. Impact ====== < What is it that an attacker can do? Does this need existing pre-conditions to be exploited (valid credentials, physical access)? Is this remotely exploitable?
.
References ========== <CVE-Link> <Upstream report> <Arch Linux Bug-Tracker>
On Thu, 25 Sep 2014 18:53:45 +0200 Remi Gacogne <rgacogne-arch@coredump.fr> ha escrit:
Hi all,
A recent discussion on the #archlinux-security IRC channel led to the proposal of posting security announcements to the arch-security mailing-list every time a vulnerability concerning an Arch Linux package is disclosed, as other distributions are already doing [1][2].
+1. Good proposal. Could you provide a RSS too? Thanks, Xan
On 09/26/2014 11:44 AM, Xan wrote:
+1. Good proposal. Could you provide a RSS too?
I think that's a great idea, we should definitely do that. I have no idea how the existing Arch RSS feeds [1] are generated though, and if/how we can add one without too much trouble. [1] https://www.archlinux.org/feeds/
Op 26 sep. 2014 17:44 schreef "Remi Gacogne" <rgacogne-arch@coredump.fr>:
On 09/26/2014 11:44 AM, Xan wrote:
+1. Good proposal. Could you provide a RSS too?
I think that's a great idea, we should definitely do that. I have no idea how the existing Arch RSS feeds [1] are generated though, and if/how we can add one without too much trouble.
No need for new code as this is already provided for: http://dir.gmane.org/gmane.linux.arch.security This works for most mailinglists, btw. On the other hand: arch-security is a low-volume list, so one could also consider subscribing to the list and/or watch the wiki: https://wiki.archlinux.org/index.php/CVE-2014 I'm not sure if you can get notifications for the wiki. Mvg, Guus
On 09/26/2014 09:31 PM, Guus Snijders wrote:
This works for most mailinglists, btw. On the other hand: arch-security is a low-volume list, so one could also consider subscribing to the list and/or watch the wiki: https://wiki.archlinux.org/index.php/CVE-2014
I'm not sure if you can get notifications for the wiki.
Sure but its disabled by default: Preferences -> User profile -> Email options -> Email me when a page or file on my watchlist is changed cheers Levente
On Fri, 26 Sep 2014 21:36:25 +0200 Levente Polyak <levente@leventepolyak.net> ha escrit:
On 09/26/2014 09:31 PM, Guus Snijders wrote:
This works for most mailinglists, btw. On the other hand: arch-security is a low-volume list, so one could also consider subscribing to the list and/or watch the wiki: https://wiki.archlinux.org/index.php/CVE-2014
I'm not sure if you can get notifications for the wiki.
Sure but its disabled by default: Preferences -> User profile -> Email options -> Email me when a page or file on my watchlist is changed
cheers Levente
Thanks folks
Hi all, On 09/25/2014 06:53 PM, Remi Gacogne wrote:
A recent discussion on the #archlinux-security IRC channel led to the proposal of posting security announcements to the arch-security mailing-list every time a vulnerability concerning an Arch Linux package is disclosed, as other distributions are already doing.
We have also created a Security Advisories [0] wiki page which list the most recent advisories from this mailinglist. After a short discussion on IRC we have chosen the ASA-YYYYMM-N identifier (which you may already have noticed from Remi's last advisory). This ASA-ID can be used as a short reference and is also included in the new advisories page [0] and the CVE-2014 page [2].
Based on an idea by Bluewind, I made the following template for advisories, and will be sending an advisory for the recent NSS vulnerability as an example in the next few minutes.
The template can also be found at the wiki page [1] and is reflecting the current state of the advisory template. kind regards, Levente [0] https://wiki.archlinux.org/index.php/Security_Advisories [1] https://wiki.archlinux.org/index.php/Security_Advisories#Template [2] https://wiki.archlinux.org/index.php/CVE-2014
Hi *, I like that idea! I think security updates etc could need some more attention. I don't know anything about arch and pacman internals (I'm rather new to arch if that counts as a justification ;) ), so I don't know if that's doable or already discussed, etc, but: What I, as a user, would like to see as a final result of this connecting cve with updates thing is that new versions of packages can be marked as closing a security vulnerability. That allows for various cool things, such as - periodically running some command that updates the package lists and, if there is an update involving a security fix, notify the user - if you like, automatically update such packages if only the bugfix version number changes (and the package is not on a blacklist and ... whatever rule you define) In the moment, I update very often, because I think "maybe there's a security fix somewhere, better take care", and I never know if I should reboot (or at least restart some things). Once that has been implemented reliably, I could be a little more relaxed in this (e.g. not upgrade at all when I don't have much time for a week or two, unless there's such a notification) As I said, just a suggestion from an unknowing user point of view ;) regards, Marian
participants (5)
-
Guus Snijders
-
Levente Polyak
-
Marian Sigler
-
Remi Gacogne
-
Xan