[arch-security] Arch Linux Security Advisories

Remi Gacogne rgacogne-arch at coredump.fr
Thu Sep 25 12:53:45 EDT 2014

Hi all,

A recent discussion on the #archlinux-security IRC channel led to the
proposal of posting security announcements to the arch-security
mailing-list every time a vulnerability concerning an Arch Linux package
is disclosed, as other distributions are already doing [1][2].

The final goal is to be able to notify Arch users that they may need to
quickly upgrade a specific package due to a vulnerability. In order to
do so efficiently, I believe we need to think of a way for package
maintainers to notify the Arch Linux CVE Monitoring Team (or whoever
handling advisories) when they upgrade a package due to a specific
security issue (if they are aware of it, of course).

This would be complementary to the role of the CVE Monitoring Team,
which is to monitor CVE and let package maintainers know when a package
need to be upgraded / patched to fix a vulnerability.

Based on an idea by Bluewind, I made the following template for
advisories, and will be sending an advisory for the recent NSS
vulnerability as an example in the next few minutes. Any comment to the
idea of security advisories and/or this template are welcome.

Best regards,


[1] https://lists.debian.org/debian-security-announce/
[2] http://www.gentoo.org/security/en/glsa/index.xml


[Arch Linux Security Advisory <YYYYMM-N>] <Package>: <Vulnerability Type>

Arch Linux Security Advisory YYYYMM-N

Severity: Low, Medium, High, Critical
Date    : YYYY-MM-DD
Package : <package>
Type    : <Vulnerability Type>
Remote  : <Yes/No>
Link    : https://wiki.archlinux.org/index.php/CVE-YYYY


The package <package> before version <Arch Linux fixed version> is
vulnerable to <Vulnerability type>.


Upgrade to <Arch Linux fixed version>.

The problem has been fixed upstream in version <upstream fixed version>.


<Is there a way to mitigate this vulnerability without upgrading?>


<Long description, for example from original advisory>.


What is it that an attacker can do? Does this need existing
pre-conditions to be exploited (valid credentials, physical access)?
Is this remotely exploitable?


<Upstream report>
<Arch Linux Bug-Tracker>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.archlinux.org/pipermail/arch-security/attachments/20140925/1af40e26/attachment.asc>

More information about the arch-security mailing list