search for: predisclosur

Displaying 6 results from an estimated 6 matches for "predisclosur".

Did you mean: predisclosure
2012 Dec 03
0
Uncontrolled disclosure of advisories XSA-26 to XSA-32
We just sent the message below to the security advisory predisclosure list, relating to the release of XSA-26 to XSA-32. As you will see, these have now been publicly released. We''ll have a proper conversation about this in a week or two. Thanks for your attention, Ian. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 We regret to announce that a member o...
2015 May 13
0
Xen Security Advisory 133 (CVE-2015-3456) - Privilege escalation via emulated floppy disk drive
...permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Deployment of the mitigation by enabling stubdomains is NOT permitted (except on systems used and administered only by organisations which are members of the Xen Project Security Issues Predisclosure List). Specifically, deployment on public cloud systems is NOT permitted. This is because this configuration change may be visible to the guest. Also, distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to depl...
2011 Jul 14
4
Security vulnerability process - last call
...anks, Ian. Changes from the previous draft: * The pre-disclosure list will get copies of public advisories and updated advisories, not just embargoed ones. * The list of entities on the pre-disclosure list will be made public. We should probably warn the existing members of the predisclosure list that the fact that their organisation is on the list will be published and give them a chance to object or withdraw, so we will publish the actual list when the policy comes into force rather than right away. I don''t expect any of the members to object. We''...
2017 Sep 07
2
Updated Xen packages for XSA 216..225
...9;s xen.dsc doesn't built with sid's gcc. I will file a bug about this. So I have done an binaryful upload to stretch-security now. Also, I have access via my Xen Project Security Team hat to the patches for the predisclosed advisories 231..234 and since Debian is also on the Xen Project predisclosure list I think it is proper for me with my Debian hat to start work on the packages for those. The release date is 2017-09-12 12:00. See https://xenbits.xen.org/xsa/ Regards, Ian. -- Ian Jackson <ijackson at chiark.greenend.org.uk> These opinions are my own. If I emailed you from an ad...
2013 Aug 30
14
Coverity + XenProject + Process?
...- was wondering what should be the procedure for involving volunteers for that? Initially it was recommended that they agree to the security disclosure (http://www.xenproject.org/security-policy.html) and will agree to use by default the "Two working weeks between issue of our advisory to our predisclosure list and publication." But I am not sure who should have the power to veto/accept volunteers? Should security@Xen.org do that? Or should folks at Xen Devel mailing list be involved in it as well? Should that security disclosure be used for that as well? Ideas? Thank you.
2015 Sep 08
7
Notes from Xen BoF at Debconf15
...able release process. Security updates ================ Guido asked if security updates could go back further. Currently we go to 4.2, but Debian Wheezy has Xen 4.1. The security team don't currently have the effort to go further, but have recently introduced a private discussion list where predisclosure members are encouraged to exchange their own backports. Guido is not on global team at security.debian. We suggested he discuss with the Debian security team switching to a xen specific alias including team@ + relevant package maintainers. Release schedule vs. migration N=>N+1 support =======...