Displaying 6 results from an estimated 6 matches for "predisclosur".
Did you mean:
predisclosure
2012 Dec 03
0
Uncontrolled disclosure of advisories XSA-26 to XSA-32
We just sent the message below to the security advisory predisclosure
list, relating to the release of XSA-26 to XSA-32. As you will see,
these have now been publicly released.
We''ll have a proper conversation about this in a week or two.
Thanks for your attention,
Ian.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
We regret to announce that a member o...
2015 May 13
0
Xen Security Advisory 133 (CVE-2015-3456) - Privilege escalation via emulated floppy disk drive
...permitted during the embargo, even on
public-facing systems with untrusted guest users and administrators.
But: Deployment of the mitigation by enabling stubdomains is NOT
permitted (except on systems used and administered only by
organisations which are members of the Xen Project Security Issues
Predisclosure List). Specifically, deployment on public cloud systems
is NOT permitted. This is because this configuration change may be
visible to the guest.
Also, distribution of updated software is prohibited (except to other
members of the predisclosure list).
Predisclosure list members who wish to depl...
2011 Jul 14
4
Security vulnerability process - last call
...anks,
Ian.
Changes from the previous draft:
* The pre-disclosure list will get copies of public advisories and
updated advisories, not just embargoed ones.
* The list of entities on the pre-disclosure list will be made
public. We should probably warn the existing members of the
predisclosure list that the fact that their organisation is on the
list will be published and give them a chance to object or
withdraw, so we will publish the actual list when the policy comes
into force rather than right away. I don''t expect any of the
members to object. We''...
2017 Sep 07
2
Updated Xen packages for XSA 216..225
...9;s xen.dsc doesn't built with sid's gcc. I will file a bug about
this. So I have done an binaryful upload to stretch-security now.
Also, I have access via my Xen Project Security Team hat to the
patches for the predisclosed advisories 231..234 and since Debian is
also on the Xen Project predisclosure list I think it is proper for me
with my Debian hat to start work on the packages for those. The
release date is 2017-09-12 12:00. See https://xenbits.xen.org/xsa/
Regards,
Ian.
--
Ian Jackson <ijackson at chiark.greenend.org.uk> These opinions are my own.
If I emailed you from an ad...
2013 Aug 30
14
Coverity + XenProject + Process?
...- was wondering what should be the
procedure for involving volunteers for that?
Initially it was recommended that they agree to the security
disclosure (http://www.xenproject.org/security-policy.html) and
will agree to use by default the "Two working weeks between issue
of our advisory to our predisclosure list and publication."
But I am not sure who should have the power to veto/accept
volunteers? Should security@Xen.org do that? Or should folks
at Xen Devel mailing list be involved in it as well?
Should that security disclosure be used for that as well?
Ideas?
Thank you.
2015 Sep 08
7
Notes from Xen BoF at Debconf15
...able release process.
Security updates
================
Guido asked if security updates could go back further.
Currently we go to 4.2, but Debian Wheezy has Xen 4.1.
The security team don't currently have the effort to go further, but
have recently introduced a private discussion list where predisclosure
members are encouraged to exchange their own backports.
Guido is not on global team at security.debian. We suggested he discuss
with the Debian security team switching to a xen specific alias
including team@ + relevant package maintainers.
Release schedule vs. migration N=>N+1 support
=======...