Michael Gilbert
2011-Jan-18 02:17 UTC
[Secure-testing-commits] r15917 - / data doc doc/historic
Author: gilbert-guest Date: 2011-01-18 02:17:49 +0000 (Tue, 18 Jan 2011) New Revision: 15917 Added: doc/historic/ doc/historic/README doc/historic/TODO doc/historic/announce doc/historic/announce.2 doc/historic/announce.3 doc/historic/bits_2007_10_x doc/historic/bits_2008_06_x doc/historic/lenny_release doc/historic/mopb.txt doc/historic/mops.txt doc/historic/move_to_l.d.o doc/historic/testing-security doc/historic/tmp.txt Removed: TODO data/README data/mopb.txt data/mops.txt doc/announce doc/announce.2 doc/announce.3 doc/bits_2007_10_x doc/bits_2008_06_x doc/lenny_release doc/move_to_l.d.o doc/testing-security tmp.txt Log: create a historic document dir and move a bunch of outdated stuff there Deleted: TODO ==================================================================--- TODO 2011-01-18 02:17:42 UTC (rev 15916) +++ TODO 2011-01-18 02:17:49 UTC (rev 15917) @@ -1,50 +0,0 @@ -* Set up for DTSAs - - - Auto moderation of developer signed mails to -announce. - - - sndadvisory should remove TODO lines from the list file since the - advisory is complete - - - merge sndadvisory into dtsa script? - - - web DTSA pages should be built on the fly using the metadata in DTSA/ - so we don''t have to update things in two places when making a change, - and so releasing a DTSA does not involve copying html files around - - - The dtsa script should have support for updating the list file - when running it on an advisory that it''s already been run on before. - This would facilitate issuing asvisories, which often takes a few runs - before the final one is sent. Alternatively, get rid of the DTSA/list - file (do we need it for anything really?) - -* Merge stuff into security.debian.org. Long term, but we need to keep in - mind that the current archive setup is just to get bootstrapped. - -* Web overview - - checklist setup for unstable needs to be fixed to ignore Hurd - -* Florian''s overview should be moved to secure-testing.debian.net, but - Florian wants to resolve some issues before. - -* Write the script that digs through the security bugs - -* Write the script that handles the transfer between secure-testing and testing - wrt incomplete archs (aba) - -* Improve the developer''s reference wrt security bugs (micah) - -* Document that finalized syntax - -* Review open security bugs and tag the wrt versioned bug tracking - -* Create a repo of security patches - -* Retroactive updating of the list for not-affected and others - -* Document all our stuff and work - -* Implement the HELP tag and add it to some outstanding issues - -* Link source package specific overview into the PTS - - Deleted: data/README ==================================================================--- data/README 2011-01-18 02:17:42 UTC (rev 15916) +++ data/README 2011-01-18 02:17:49 UTC (rev 15917) @@ -1,55 +0,0 @@ -The checklist program can be run on a system with madison available to -check vulnerability info from the list files against what packages are in -testing. Also the updatelist is used by the Makefile to update the lists -with new info from Mitre. So the various list files need a common, machine -parsable format. That format is: - -begin claimed by foo - -[date] id description - {id id id} - UPCASE: text - - package [version] (note; note; note) - -end claimed by foo - - -Without writing a format grammar, because this is really rather ad-hoc and -probably will be replaced with something better: - -[date] - The date of the advisory in the form dd Mmm YYYY (01 Nov 2004). - Optional, only given for DSAs at the moment. -id - DSA-nnn-n, CVE-YYY-nnnn, etc -description - Pretty much freeform description of the problem. Short and optional. - By convention, if it''s taken from upstream data source - automatically, it will be in parens. If you want to use a different - description, put it in square brackets instead. -{id id id} - This is used to link to other ids that describe the same hole. - Generally used to link DSAs to CVEs and back. -UPCASE - Any word in upper case, typically NOTE, HELP, TODO, RESERVED, - REJECTED, NOT-FOR-US. - May be repeated for each entry. -- package [version] (note; notes; note) - Indicates that the problem is fixed in the given version of the - package. May repeat for other packages. If the problem is unfixed, - use "<unfixed>" as the version. If the problem doesn''t affect Debian, - use "<not-affected>" as the version. If the problem only affects - shipped releases, for which the stable security team provides - security support and the affected package has meanwhile been removed - from the archive use "<removed>" as the version. If the problem - affects a particular release, prepend "[release]" before the - "- package" to reflect as much. - - The notes can be freeform, but some are understood by the tools, - including "bug #nnnnn", "bug filed", and "high", - "medium", "low", "unimportant" and "unknown" urgencies. - -begin claimed by foo -end claimed by foo - Marks a set of items that are being checked by someone. - Used to avoid duplicate work. Deleted: data/mopb.txt ==================================================================--- data/mopb.txt 2011-01-18 02:17:42 UTC (rev 15916) +++ data/mopb.txt 2011-01-18 02:17:49 UTC (rev 15917) @@ -1,237 +0,0 @@ -Issues affecting PHP 4 and PHP 5: - -41 PHP 5 sqlite_udf_decode_binary() Buffer Overflow Vulnerability -#TODO(medium) -> for PHP5, php4 uses a seperate php4-sqlite package. -[MOPB-41-php5.diff] - -34 PHP mail() Header Injection Through Subject and To Parameters -#TODO(medium) -> needs to be fixed, CVE-2007-1718 (php4 & php5, header -injection possible via some MTAs when set to process the headers for -recipients), Sarge''s php4 not affected -[MOPB-34-php5.diff] - -30 PHP _SESSION unset() Vulnerability -#TODO(low) -> hard to trigger remotely, CVE-2007-1700. (php4 & php5, code execution) -[MOPB-30-php5.diff] - -26 PHP mb_parse_str() register_globals Activation Vulnerability -#TODO(medium) -> functionally enables register_globals for any future requests, CVE-2007-1583 (php4 & php5, enables stealth register_globals for life of process) - -22 PHP session_regenerate_id() Double Free Vulnerability -#TODO(medium) -> locally exploitable to gain access to process memory, hard to do remotely, CVE-2007-1521 (php4 & php5, code execution) -[MOPB-22-php5.diff] - -10 PHP php_binary Session Deserialization Information Leak Vulnerability -#TODO(low) -> Can only leak 127 bytes of data, CVE-2007-1380 (php4 & php5, heap leak) -Check, to which extent this was covered by our backports of 5.2.1 patches -[MOPB-10-php5.diff] - - - -Issues affecting PHP 4 only: - -35 PHP 4 zip_entry_read() Integer Overflow Vulnerability -#TODO(medium) -> needs to be fixed, CVE-2007-1777 (php4, remote code execution) -[MOPB-35-php4.diff] - -32 PHP 4.4.5/4.4.6 session_decode() Double Free Vulnerability (U) -TODO(medium) -> needs to be fixed in php/etch and php/sarge (remote code execution) -[MOPB-32-php4.diff] - -04 PHP 4 unserialize() ZVAL Reference Counter Overflow -TODO (php4 only, gain execute control) -[MOPB-04-php4.diff] - - - -Issues affecting PHP 5 only: - -45 PHP ext/filter Email Validation Vulnerability -TODO(low) -> possible email header injections when coupled with other problems (php5 5.2.0, 5.2.1) -[MOPB-45-php5.diff] - -44 PHP 5.2.0 Memory Manager Signed Comparision Vulnerability -#TODO(medium) -> remotely exploitable via SOAP interfaces, CVE-2007-1889 (php5 5.2.0 only) - -42 PHP 5 php_stream_filter_create() Off By One Vulnerablity -#TODO(medium) -> needs to be fixed, CVE-2007-1824 (php5, remote code execution, though haven''t reproduced it) -[MOPB-42-php5.diff] - -23 PHP 5 Rejected Session Identifier Double Free Vulnerability -#TODO(medium) -> locally exploitable to gain access to process memory, hard to do remotely, CVE-2007-1522. (php5 5.2.0+, code execution) - -19 PHP ext/filter Space Trimming Buffer Underflow Vulnerability -#TODO(medium) -> for PHP5. CVE-2007-1453 (php5 5.2.0 only, code execution on big endian) - -18 PHP ext/filter HTML Tag Stripping Bypass Vulnerability -#TODO(medium) -> for PHP5. CVE-2007-1453 (php5 5.2.0 only, can avoid filters) - -17 PHP ext/filter FDF Post Bypass Vulnerability -#TODO(low) -> ...or possibly "broken as designed". CVE-2007-1452, (php5 5.2.0 only, can avoid filters) - -16 PHP zip:// URL Wrapper Buffer Overflow Vulnerability -#TODO(medium) -> possible remote data can result in code execution in 5.2.0 which uses the zip handler, CVE-2007-1399. (php5 5.2.0 only, code execution) - -14 PHP substr_compare() Information Leak Vulnerability -#TODO(low) -> corner-case where length+offset > INT_MAX, CVE-2007-1375 (php5, heap leak) -[MOPB-14-php5.diff] - - - - - -Done or resolved: - - -43 PHP msg_receive() Memory Allocation Integer Overflow Vulnerabilty -#N/A -> Only triggerable by malicious script, CVE-2007-1890 (php4 & php5, local code execution, possibly FreeBSD only) - -40 PHP imap_mail_compose() Boundary Stack Buffer Overflow Vulnerability -#Fixed in DSA-1264 and the respective PHP4/PHP5 packages, dupe CVE-2007-0906/CVE-2007-1825 - -39 PHP str_replace() Memory Allocation Integer Overflow Vulnerability -#Fixed in DSA-1264 and the respective PHP4/PHP5 packages, dupe CVE-2007-0906/CVE-2007-1885 - -38 PHP printf() Family 64 Bit Casting Vulnerabilities -#Fixed in DSA-1264 and the respective PHP4/PHP5 packages, dupe CVE-2007-0909/CVE-2007-1884 - -37 PHP iptcembed() Interruption Information Leak Vulnerability -#N/A -> Only triggerable by malicious script, CVE-2007-1883 (php4 & php5, local code execution) - -36 PHP session.save_path open_basedir Bypass Vulnerability -#N/A -> open_basedir bypasses not supported, CVE-2007-1461 - -33 PHP mail() Message ASCIIZ Byte Truncation -#N/A -> This is a bug, but not security-relevant, CVE-2007-1717 (php4 & php5) - -31 PHP _SESSION Deserialization Overwrite Vulnerability -#N/A -> register_globals not supported, already fixed in DSA-1264, dupe CVE-2007-0910/CVE-2007-1701 (php4 & php5, very hard to trigger remotely, code execution) - -29 PHP 5.2.1 unserialize() Information Leak Vulnerability -#N/A -> Only affects PHP 5.2.1, CVE-2007-1649 (heap leak via broken "S" unserializer, which should maybe be removed from 5.2.1, since it is only for future compatibility and is totally broken?) -[MOPB-29-php5.diff] - -28 PHP hash_update_file() Already Freed Resource Access Vulnerability -#N/A -> Only triggerable by malicious script, CVE-2007-1581 (php5, local malicious stream handler leads to code execution) - -27 PHP ext/gd Already Freed Resource Access Vulnerability -#N/A -> Only triggerable by malicious script, CVE-2007-1582 (php4 & php5, local malicious error handler leads to code execution) - -25 PHP header() Space Trimming Buffer Underflow Vulnerability -#Fixed in Etch as part of the 5.2.1 backport, dupe CVE-2007-0907/CVE-2007-1584 - -24 PHP array_user_key_compare() Double DTOR Vulnerability -#N/A -> Only triggerable by malicious script, CVE-2007-1484 (php4 & php5, code execution) -[MOPB-24-php5.diff] - -21 PHP compress.bzip2:// URL Wrapper safemode and open_basedir Bypass Vulnerability -#N/A -> Safemode and open_basedir bypasses not supported, CVE-2007-1461 - -20 PHP zip:// URL Wrapper safemode and open_basedir Bypass Vulnerability -#N/A -> Safemode and open_basedir bypasses not supported, CVE-2007-1460 - -15 PHP shmop Functions Resource Verification Vulnerability -#N/A -> Only triggerable by malicious script, could be used to read/write arbitrary memory, CVE-2007-1376 (php4 & php5, arbitrary memory leakage) -[MOPB-15-php5.diff] - -13 PHP 4 Ovrimos Extension Multiple Vulnerabilities -#N/A -> Ovrimos support not provided in any debian php packages, CVE-2007-1379, CVE-2007-1378 - -12 mod_security POST Rules Bypass Vulnerability -#N/A -> applies to modsecurity, not packaged for sarge/etch/(sid?), CVE-2007-1359. - -11 PHP WDDX Session Deserialization Information Leak Vulnerability -#Fixed in DSA-1264. CVE-2007-0908 (php4 & php5, controllable stack leak) - -09 PHP wddx_deserialize() String Append Buffer Overflow Vulnerability -#N/A -> Only applies to a development version in CVS, not a shipped release, CVE-2007-1381. - -08 PHP 4 phpinfo() XSS Vulnerability (Deja-vu) -N/A -> phpinfo() is a debug function, not be exposed to applications (php4 4.4.3 through 4.4.6 only, phpinfo XSS) - -07 Zend Platform ini_modifier Local Root Vulnerability (B) -N/A -> Only affects the Zend platform - -06 Zend Platform Insecure File Permission Local Root Vulnerability -N/A -> Only affects the Zend platform - -05 PHP unserialize() 64 bit Array Creation Denial of Service Vulnerability -#Fixed in DSA-1264. CVE-2007-0988 (php4 & php5, limited-time 100% CPU DoS) - -03 PHP Variable Destructor Deep Recursion Stack Overflow -#N/A -> Applications need to impose sanity checks for maximum recursion, CVE-2007-1285 (php4 & php5, crash only) - -02 PHP Executor Deep Recursion Stack Overflow -#N/A -> Applications need to impose sanity checks for maximum recursion, CVE-2006-1549 (php4 & php5, crash only) - -01 PHP 4 Userland ZVAL Reference Counter Overflow Vulnerability -#N/A -> Only triggerable by malicious script, CVE-2007-1383 (php4 only, gain execute control) - - - - -(Comments starting with # indicate that information has been fed to the tracker) -(Comments starting with TOFIX indicate that a patch has been created or extracted) - - -# php4 checklist - - Sarge Etch -41 a a <- seperate source package php4-sqlite -35 T T -34 / t -32 T T -30 / / -26 a a -22 t t -10 T T <- seemed already fixed but this completes the patch -04 T T - -? = more info -x = fix needed -* = extracted -a = patch generated and commited to SVN -t = didn''t seem affected, but patch makes sense -T = code tested -/ = not affected - -# PHP5 checklist.... -MOPB Etch, Unstable Dapper, Edgy, Feisty, Gutsy PATCH -10 p p[3] T T T - * -14 X T T T T - * -15 i T T T - - * -16 p p - - - - -17 - - - - - - -18 X T - - - - -19 X T - - - - -22 X T T T T - * -23 X T[5] X X X - ? -24 i i T T T X * -26 X T T T T - * -29 - - - - T - * -30 - a[4] T T - - * -34 X a T T T - * -41 X T T T T - ![1] -42 X a T T - - * -44 X a - - - - -45 X T - - T - ![2] - -* = patch extracted from upstream -? = no upstream patch found -! = patch created - -X = fixed desired -a = patch applied -p = previously fixed -T = code tested -- = fix n/a -i = fix skipped - -[1] but the fix in php5 is not right, the call (not the SQLite API) needs - to be changed. For references, here is the upstream "fix": - http://cvs.php.net/viewvc.cgi/php-src/ext/sqlite/libsqlite/src/encode.c?r1=1.5.4.1&r2=1.5.4.1.2.1&pathrev=PHP_5_2 -[2] this needs a CVE assigned -[3] previously fixed, but the patch adds another check we should have too. -[4] could not reproduce this problem -[5] the first hunk of the patch for mopb 22 fixes this. - Deleted: data/mops.txt ==================================================================--- data/mops.txt 2011-01-18 02:17:42 UTC (rev 15916) +++ data/mops.txt 2011-01-18 02:17:49 UTC (rev 15917) @@ -1,64 +0,0 @@ -Month of PHP security May 2010 status file - -001: CVE-2007-1581; Only triggerable by malicious script -002: External app not in Debian: Campsite -003: CVE-2010-1866; Should be fixed for Squeeze, doesn''t affect Lenny (5.3 only) -004: External app not in Debian: ClanSphere -005: External app not in Debian: ClanSphere -006: CVE-2010-1864; Only triggerable by malicious script -007: External app not in Debian: ClanTiger -008: CVE-2010-1862; Only triggerable by malicious script -009: CVE-2010-1861; Only triggerable by malicious script -010: CVE-2010-1860; Only triggerable by malicious script -011: External app not in Debian: DeluxeBB -012: CVE-2010-1868; Only triggerable by malicious script -013: CVE-2010-1868; Only triggerable by malicious script -014: CVE-2010-1914; Only triggerable by malicious script -015: CVE-2010-1914; Only triggerable by malicious script -016: CVE-2010-1914; Only triggerable by malicious script -017: CVE-2010-1915; Only triggerable by malicious script -018: External app not in Debian: EFront -019: CVE-2010-1916; Serendipity, doesn''t affect Lenny (1.4 onwards), pinged Thijs -020: CVE-2010-1916; External app; xinha, Just an ITP: #479708, there are embedders -021: CVE-2010-1917; PHP fnmatch() Stack Exhaustion Vulnerability -022: CVE-2010-2093; Only triggerable by malicious script -023: no CVE yet; Cacti, pinged Sean Finney -024: CVE-2010-2094; Doesn''t affect Lenny, extension is new enough not to have (code) users other than PEAR -025: CVE-2010-2094; Doesn''t affect Lenny, extension is new enough not to have (code) users other than PEAR -026: CVE-2010-2094; Doesn''t affect Lenny, extension is new enough not to have (code) users other than PEAR -027: CVE-2010-2094; Doesn''t affect Lenny, extension is new enough not to have (code) users other than PEAR -028: CVE-2010-2094; Doesn''t affect Lenny, extension is new enough not to have (code) users other than PEAR -029: External app not in Debian: CMSQLITE -030: External app not in Debian: CMSQLITE -031: External app not in Debian: e107 -032: CVE-2010-2097; Only triggerable by malicious script -033: CVE-2010-2097; Only triggerable by malicious script -034: CVE-2010-2097; Only triggerable by malicious script -035: External app not in Debian: e107 -036: CVE-2010-2100; Only triggerable by malicious script -037: CVE-2010-2100; Only triggerable by malicious script -038: CVE-2010-2100; Only triggerable by malicious script -039: CVE-2010-2100; Only triggerable by malicious script -040: CVE-2010-2100; Only triggerable by malicious script -041: CVE-2010-2101; Only triggerable by malicious script -042: CVE-2010-2101; Only triggerable by malicious script -043: CVE-2010-2101; Only triggerable by malicious script -044: CVE-2010-2101; Only triggerable by malicious script -045: CVE-2010-2101; Only triggerable by malicious script -046: CVE-2010-2101; Only triggerable by malicious script -047: CVE-2010-2190; Only triggerable by malicious script -048: CVE-2010-2190; Only triggerable by malicious script -049: CVE-2010-2191; Only triggerable by malicious script -050: CVE-2010-2191; Only triggerable by malicious script -051: CVE-2010-2191; Only triggerable by malicious script -052: CVE-2010-2191; Only triggerable by malicious script -053: CVE-2010-2191; Only triggerable by malicious script -054: CVE-2010-2191; Only triggerable by malicious script -055: CVE-2010-2191; Only triggerable by malicious script -056: CVE-2010-3062; Does not affect Lenny; unimportant, mysqlnd not used in squeeze/sid -057: CVE-2010-3062; Does not affect Lenny; unimportant, mysqlnd not used in squeeze/sid -058: CVE-2010-3063; Does not affect Lenny; unimportant, mysqlnd not used in squeeze/sid -059: CVE-2010-3064; Does not affect Lenny; unimportant, mysqlnd not used in squeeze/sid -060: CVE-2010-3065; Should be fixed in Lenny and unstable; low importance - - Deleted: doc/announce ==================================================================--- doc/announce 2011-01-18 02:17:42 UTC (rev 15916) +++ doc/announce 2011-01-18 02:17:49 UTC (rev 15917) @@ -1,133 +0,0 @@ -Subject: forming a security team for testing - -I''ve been talking to people about the idea of forming a security team for -the testing distribution for several months, and there seems to be enough -interest in improving testing''s security to make such a team a reality. -Most of the people in the CC list have indicated interest in the existence -of a testing security team; we''re interested in testing''s security for -diverse reasons including: use of testing at work, shipping products based -on testing, hoping to base derived Deban distributions on testing rather -than stable, wanting testing to be a viable choice for Debian users, and -so on. - -The team will consist of Debian developers and possibly others. Unless a -member of the Debian security team joins the Debian testing security team, -none of us will have any privileged information about future security -announcements. Anyone with interest and experience with security issues is -welcome to join the team. - -To talk about how I think this team would work on testing''s security, I -need to talk about two distinct stages, before the sarge release, and -after. - -Right now we''re at a point in the sarge release cycle where most of the -focus of a testing security team needs to be on identifying and fixing -sarge''s security problems and getting it ready for release. This means -checking to make sure that security problems that have already been fixed -in unstable and stable do not continue to affect testing, as well as -dealing with new holes. I don''t think Debian has really invested much -effort into this in past releases, but if we want sarge to be a secure -release from the beginning, it''s important to do it. - -If we do that work now, then after sarge is released, we will only need to -worry about keeping track of new security holes and releasing security -advisories. - -Work before sarge''s release: ---------------------------- - -Some work on checking sarge for old security issues has already been done. -With help from some of the people in the CC list, I coordinated a scan of -every DSA since woody''s release and we checked all 450 DSAs to see if fixes -for those security holes had reached testing. Suprisingly, we found some -security holes that had not gotten fixed in testing in a year or more, -though those were the exceptions. - -I''ve continued to do this checking as each new DSA is released, as well as -filing bugs, working with the security team and Release Managers, and doing -a few NMUs to get the fixes in. The current list of unfixed DSAs sarge is: - - joeyh at newraff:~/sarge-checks>./checklist.pl DSA/list - kpdf (unfixed; bug #278173) for DSA-573-1 - gpdf 2.8.0-1 needed, have 2.8.0-0.1 for DSA-573-1 - libpng3 1.2.5.0-9 needed, have 1.2.5.0-8 for DSA-571-1 - kdelibs 4:3.2.3-3.sarge.1 needed, have 4:3.2.3-2 for DSA-539 - -But checking DSAs is not a complete check of known security issues that -might still be lurking in sarge. To do a really complete scan means looking -through old non-DSA advisories as far back as is reasonable or doable. I -think doing this scan and the following up on it to fix things would be a -good first step for the team, and a way to begin figuring out how the team -will work together. - -Mitre has a fairly comprehensive list of security problems in their list of -CAN numbers[1]. There have been about 1000 CANs allocated this year, some -of them are not released yet, some were covered by the DSAs and I''ve -checked a few hundred, so there are about 400 left. I think 4 or 5 people -could check these in a reasonable time period, and maybe do 2003 as well. -So if you''re interested in checking some of the CANs to see if they are -fixed in sarge, here''s what to do: - - - Sign up for an alioth account if you don''t have one. - - Send me your userid to be added to the secure-testing project on alioth. - - svn co svn+ssh://svn.debian.org/svn/secure-testing/sarge-checks - - Edit the CAN/list file and claim a range of CANs to check. Note that - CANs that have already been checked as part of the DSA checks are so - marked. Commit the file. - - Go through your claimed CANs and check changelogs, advisories, do - testing, whatever is needed to satisfy yourself whether sarge is - vulnerable or not, and record your findings in the CANs file. - - If it''s also not fixed in sid, then be sure to file a RC bug; if it''s - fixed in sid but not in sarge, be sure to record it as a critical issue - on the Release Managers'' sarge issue tracker here: - http://www.wolffelaar.nl/~sarge/ - Do other followup as appropriate to get the fix into sarge. - -Along with looking for old unfixed holes in sarge and working on getting -them fixed, we should also keep up-to-date with tracking new holes as -they''re announced. - -Work after sarge''s release: --------------------------- - -By the time sarge releases, I hope to already have a team that has worked -together on getting sarge secure, and we''ll have a testing distribution -with no old security holes in it. This would be a great time to start -regular security updates for testing. I''ve been considering some acheivable -goals for the testing security team, and come up with this list: - - - Provide timely security updates for testing, with fixes being made - available no more than four days after a DSA is released. - - Work with maintainers to include security fixes from unstable - that do not have DSAs. - - Maintain a public database and statistics about the current state of - security in testing. - -Exactly how we would handle doing security updates for testing will have to -be decided by the team. We will probably want to release gpg signed DTSA -(Debian Testing Security Advisories) to a mailing list and web site. It -seems likely that we could use the testing-proposed-updates queue to build -updates, if it gets set up for all arches and continues to work after the -sarge release. For tracking issues, we may need to come up with our own -system, or we may be able to use the BTS, it if gets the promised version -tracking support added to it. We might want to set up our own security -repository separate from testing, or not. - -I think it''s important that the team not rely on others in Debian to do the -work for infrastructure we need; if it''s available then great, but if not -we should be prepared to work around it ourselves. - -While it''s again up to the eventual team to decide for sure, I suggest that -we build security updates against the packages in testing. I also suggest -that unlike security updates to package in stable, we should most often not -backport fixes to the versions of packages in testing. More often we will -simply take the fixed package from unstable, recompile it if necessary, and -qualify it for the testing distribution. This may involve upgrading to new -upstream releases, and so there''s a chance our updates will introduce new -bugs. Still, that''s not as bad as unfixed security holes, and for a small -team with limited manpower, this is a useful shortcut. We can make sure -that our users realise that using our security updates can expose them to -upgrade bugs. - -[1] http://cve.mitre.org/cve/candidates/downloads/full-can.html - Deleted: doc/announce.2 ==================================================================--- doc/announce.2 2011-01-18 02:17:42 UTC (rev 15916) +++ doc/announce.2 2011-01-18 02:17:49 UTC (rev 15917) @@ -1,127 +0,0 @@ -Subject: announcing the beginning of security support for testing - ---------------------------------------------------------------------------- -Debian Testing Security Team September 9th, 2005 -secure-testing-team at lists.alioth.debian.org -http://testing-security.debian.net/ ---------------------------------------------------------------------------- - -Security support for testing - -The Debian testing security team is pleased to announce the beginning of -full security support for Debian''s testing distribution. We have spent the -past year building the team, tracking and fixing security holes, and -creating our infrastructure, and now the final pieces are in place, and -we are able to offer security updates and advisories for testing. - -We invite Debian users who are currently running testing, or who would like -to switch to testing, to subscribe to the secure-testing-announce mailing -list, which will be used to announce security updates. -<http://lists.alioth.debian.org/mailman/listinfo/secure-testing-announce> - -We also invite you to add the following lines to your apt sources.list file, -and run "apt-get update && apt-get upgrade" to make the security updates -available. - -deb http://secure-testing.debian.net/debian-secure-testing etch/security-updates main contrib non-free -deb-src http://secure-testing.debian.net/debian-secure-testing etch/security-updates main contrib non-free - -Alternatively, replace "secure-testing.debian.net" in the above lines with -a mirror near you: - - ftp.de.debian.org (located in Germany) - ftp.nl.debian.org (located in the Netherlands) - the.earth.li (located in UK) - ftp2.jp.debian.org (located in Japan) - farbror.acc.umu.se (located in Sweden) - -Some initial advisories have already been posted to the list and are already -available in the repository. These include: - -[DTSA-1-1] New kismet packages fix remote code execution -[DTSA-2-1] New centericq packages fix multiple vulnerabilities -[DTSA-3-1] New clamav packages fix denial of service and privilege escalation -[DTSA-4-1] New ekg packages fix multiple vulnerabilities -[DTSA-5-1] New gaim packages fix multiple remote vulnerabilities -[DTSA-6-1] New cgiwrap packages fix multiple vulnerabilities -[DTSA-7-1] New mozilla packages fix frame injection spoofing -[DTSA-8-1] New mozilla-firefox packages fix several vulnerabilities -[DTSA-9-1] New bluez-utils packages fix bad device name escaping -[DTSA-10-1] New pcre3 packages fix buffer overflow -[DTSA-11-1] New maildrop packages fix local privilege escalation -[DTSA-12-1] New vim packages fix modeline exploits -[DTSA-13-1] New evolution packages fix format string vulnerabilities - -Note that while all of Debian''s architectures are supported, we may release -an advisory before fixed packages have built for all supported -architectures. If so, the missing builds will become available as they -complete. - -We are not currently issuing advisories for security fixes that reach -testing through normal propagation from unstable, but only for security -fixes that are made available through our repository. So users of testing -should continue to upgrade their systems on a regular basis to get such -security fixes. We might provide information about security issues that -have been fixed through regular testing propagation in the future, though. - -Note that this announcement does not mean that testing is suitable for -production use. Several security issues are present in unstable, and an -even larger number are present in testing. Our beginning of security -support only means that we are now able to begin making security fixes -available for testing nearly as quickly as for unstable. The testing -security team''s website has information about what security holes are still -open, and users should use this information to make their own decisions -about whether testing is secure enough for them. - -Finally, we are still in the process of working out how best to serve users -of testing and keep your systems secure, and we welcome comments and -feedback about ways to do better. You can reach the testing security team -at secure-testing-team at lists.alioth.debian.org. - -If you want to become a mirror, please see -http://testing-security.debian.net/mirroring.html - -Debian developers who would like to upload fixes for security holes in -testing to the repository can do so, following the instructions on our web -site. - -For more information about the testing security team, see our web site. -<http://testing-security.debian.net/>. - ----------------------------------------------------------------------------- - -The archive signing key that is used to sign the apt repository is -included below and can also be downloaded from -http://testing-security.debian.net/ziyi-2005-7.asc - ------BEGIN PGP PUBLIC KEY BLOCK----- -Version: GnuPG v1.4.1 (GNU/Linux) - -mQGiBEMM7wgRBACs/rcYtu++PqBV5t6qTf9FsjJYZV4OUoQmtK849PdHUoVONh/b -yz0vmP4QPCJXraFYiiiaur8WLcOphwY3DFaz0quozxl3pZfJjN27qDdTTDUKk1Kq -zFQYTsDaXjSh0nRGW3gFmbyIqTL8sVGOAAz2KbrtLEQE11qYZjzvylEf4wCgv6ss -HgQ7AcSBjpvm72e9PvSuDhMD/1kV0Snq9ilvCv7QLHBo/JnNgiCwxh5nEnPWHYjo -SB0I99nuFMAzooAXTQhU3Hx1/sdZ3SMk1hWwZCPI0iNqESH2a3ib0YZt0DycWa3Y -KxXIJet92u3ApSMVbp6OzzL7REoNCAgg6F/lrl+lVtnHbKiKBMZlKMsp+kQLSXqr -Ki0pA/wIkkp7mJ7IiVS0fy9gueuiLqJKR6+i092J0RXsQesQX4OTC2DY3IICB22Q -HfE8WNVZ2iPuWK0ymg6GqAHplp7bfVZMzfMSTMc+hj9WnmEVRRjLH66tsq1XHGEQ -qg/mbkmeXwUwxAT1WGClcRWJqODmWE7KhkjKwGklYgzBoxwqkLRDc2VjdXJlLXRl -c3RpbmcgQXJjaGl2ZSBLZXkgMjAwNS03IDxrYXRpZUBzZWN1cmUtdGVzdGluZy5k -ZWJpYW4ubmV0PohkBBMRAgAkBQJDDO8IAhsDBQkElVcABgsJCAcDAgMVAgMDFgIB -Ah4BAheAAAoJEJRqpuGHIucecvgAoK3nnF0yEwpNeQASyerh4wxRblZzAJ9h8rEF -YldbZt/zYA53k2/y2m+s7LkCDQRDDO8gEAgAm1Y/a//sVe6fEANvLc5M5pEsoRkP -LNKcH1O/og2mID8/gBV99LRfRnjcV8xhF5cWIlb4Es3KvQxmvxo6zGEfsMJWoezq -H+2agIra78dfb0B1AyHuvwSRMc9sVy+3CuegM8bD3ss+4ta3rNLChpVrE8DxJZum -ecqkNSQVOkqeAOl2JIQ/xBkLg1hjQA8bXW5AiUu4/XAQAe04w7YNfdsApeCfpKEW -Atg54CD9uRbfSwnd2uYHYcosmBMhryNrHy27RkyS0BFWaL/1gfBqua7VujcnCm6S -nbhB4t3vk/AnEsPJixtW/tOC3a3BaPqGsTq848e/PzmWY/8y9mvXwbxq5wADBQgA -gNtB3u8TCN2Z4wkKrg19LohivQzJCXFfRi2ZydOe9E3SbSi6ggthjvGhHv2lTHEu -e/4wBOta3a9pUpVdMgRFL1UuJy3nPd1yPC0dOegJj+lMkeMGcdKolJUMdoA+ieZ2 -lwkrT1b5GdFBSRn8hsuRtZi69QtzoHzDR5lg9ynwTJ+mLlO8r83HmdxbXsnmGlxy -ZWRoqiSIl7mRLHp2tuFw9chgJ1nqwewTmCj85Aj/YsbGmqOJcnp98Jk0GDiP/le4 -rktZAqG2blwVpC2DLLiQSqcYS5jjq/iiGnYEIVG+nPa/29OuoX40zwKqBcy5I8rJ -ZIq2hzbazsyg2Sd3vhmZuohPBBgRAgAPBQJDDO8gAhsMBQkElVcAAAoJEJRqpuGH -IuceRqUAn3Q8msRUTsp882QINWyy5fqTehb5AJ9+kz3xq+7ooAwkdgpNOiz7ogxp -Qg=-=KBNL ------END PGP PUBLIC KEY BLOCK----- Deleted: doc/announce.3 ==================================================================--- doc/announce.3 2011-01-18 02:17:42 UTC (rev 15916) +++ doc/announce.3 2011-01-18 02:17:49 UTC (rev 15917) @@ -1,46 +0,0 @@ -X-pseudo-subject: For those who care about testing security -Subject: Testing security archive move - ---------------------------------------------------------------------------- -Debian Testing Security Team May 12th, 2006 -secure-testing-team at lists.alioth.debian.org -http://testing-security.debian.net/ ---------------------------------------------------------------------------- - -Testing security archive move - -The Debian testing security team is pleased to announce the integration of -the secure testing archive to http://security.debian.org - -We invite Debian users who are currently running testing, or who would like -to switch to testing, to subscribe to the secure-testing-announce mailing -list, which will be used to announce security updates. -<http://lists.alioth.debian.org/mailman/listinfo/secure-testing-announce> - -We also invite you to add the following lines to your apt sources.list file, -and run "apt-get update && apt-get upgrade" to make the security updates -available. - -deb http://security.debian.org etch/updates main contrib non-free -deb-src http://security.debian.org etch/updates main contrib non-free - -This replaces the previous http://secure-testing.debian.net/ lines which should -no longer be used. There will be a transition period where packages are -uploaded to both, but you should now use the http://security.debian.org lines. - -Note that while all of Debian''s architectures are supported, we may release -an advisory before fixed packages have built for all supported -architectures. If so, the missing builds will become available as they -complete. - -Debian developers who would like to upload fixes for security holes in -testing to the repository can do so, following the instructions on our web -site. - -Finally, we are still in the process of working out how best to serve users -of testing and keep your systems secure, and we welcome comments and -feedback about ways to do better. You can reach the testing security team -at secure-testing-team at lists.alioth.debian.org. - -For more information about the testing security team, see our web site. -<http://testing-security.debian.net/>. Deleted: doc/bits_2007_10_x ==================================================================--- doc/bits_2007_10_x 2011-01-18 02:17:42 UTC (rev 15916) +++ doc/bits_2007_10_x 2011-01-18 02:17:49 UTC (rev 15917) @@ -1,158 +0,0 @@ -Hi fellow developers, - -We finally got around to sending this email to inform you about the -current state of the Testing Security team and its work. - -If you at any stage have questions about the Testing Security team, -please feel free to come to #debian-security on OFTC or write an email to -secure-testing-team at lists.alioth.debian.org . - - - -Security status of testing --------------------------- - -Thanks to an increased size of our team, Debian Lenny is in good shape with -respect to security and has been so for some time. We expect to be able to -keep up this level of security support (at least) until the release of Lenny. - -In the weeks immediately after the release of Etch there were some security -support problems for testing. We hope to improve our processes so that we won''t -run into the same problems after the release of Lenny. There will be another -announcement about the state of these efforts well before Lenny''s release. - -Our web page[0] has been updated to reflect the current status. - - - -New announcement mails ----------------------- - -Previously we were mimicing the announcement method that Stable security -uses by providing DTSAs (Debian Testing Security Advisories). However, -these were only prepared for issues that required us to manually prepare -package updates, thereby forcing a package into testing that would not -otherwise migrate automatically in a reasonable time-frame. This resulted -in very infrequent DTSAs because most of the security issues were dealt -with by fixed packages migrating from unstable to testing. - -Therefore, we set up daily announcements (delivered to the -announcement mailinglist[1]), which include all new security fixes for -the testing distribution. Most commonly the email shows the migrated -packages. If there has been a DTSA issued for a package, this will -show up as well. - -In some rare cases, the Testing Security team asks the release -managers to remove a package from testing, because a security fix in a -reasonable amount of time seems to be unlikely and the package should -not be part of testing in our opinion. In this case, the email will -additionally include information about the removal. - - - -Efforts to fix security issues in unstable ------------------------------------------- - -The Testing Security team works mainly on assigned CVE numbers but -also follows security relevant bugs reported via the BTS. If you -encounter a security problem in one of your packages, which does not -have a CVE number yet, please contact the Testing Security team. It -is important to have a CVE id allocated, because they allow us to -track the security problem in all Debian branches (including Debian -stable). When you upload a security fix to unstable, please also -include the CVE id in your changelog and set the urgency to high. The -tracker used by both the Testing and Stable Security teams, can be -found on this webpage[2]. - -The main task of the Testing Security team is to review CVE id -relevance to Debian, informing Debian maintainers by filing bugs to -the BTS (if not already done) and chasing the security fix to move it -faster into testing. Whenever possible, we try to provide patches and -sometimes also NMU the packages in unstable. Please do not regard an -NMU by the Testing Security team as a bad sign. We try to assist you -in the best way to keep Debian secure. Also keep in mind that not all -security related problems have a grave severity, so do not be -surprised if a normal bug in the Debian BTS results in assigning a CVE -id for it. An up to date overview of unresolved issues in unstable -can be found on the tracker website[3]. - - - -Efforts to fix security issues in testing ------------------------------------------ - -Our efforts to keep testing secure are primarily focused around -letting fixed packages migrate from unstable. In order to -ensure this migration process, we are in close contact with the -release team and request priority bumps to speed up the -migration. Sometimes a package is kept from migrating due to a -transition, the occurrence of new bugs in unstable, buildd issues or -other problems. In these cases, the Testing Security team considers -the possibility of issuing a DTSA. We always appreciate it when the -maintainer contacts us about their specific security problem. When we -are in communication then we can assist by telling you whether to wait -for migration or to prepare an upload to testing-security. For non-DDs, -these uploads can be sponsored by every DD, preferable by a member of -the Testing Security team. If you get a go for an upload to -testing-security by one of us, please follow the guidelines on the -webpage[4]. If we feel the need to issue a DTSA and were not contacted -by the maintainer, we normally go ahead and upload ourselves, although -efforts by maintainer to be involved in this process is much preferred. - -An up to date overview of unresolved issues in testing can be found on -the tracker website[5]. - - - -Embedded code copies --------------------- - -There are a number of packages including source code from external -libraries, for example poppler is included in xpdf, kpdf and others. -To ensure that we don''t miss any vulnerabilities in packages that do so -we maintain a list[6] of embedded code copies in Debian. It is preferable -that you do not embed copies of code in your packages, but instead link -against packages that already exist in the archive. Please contact us about -any missing items you know about. - - - -Some statistics ---------------- - -* 35 DTSAs had been issued in 2007 so far for over 139 CVE ids -* 39 NMUs were uploaded in the last two months to fix security flaws -* 49 security related uploads migrated to testing in the last month for 71 CVE ids -* 5500 CVE ids had been processed by the team so far for this year - - - -New Testing Security Members ----------------------------- - -New members are constantly added to the team. The most recent additions are -Nico Golde, Steffen Joeris, and Thijs Kinkhorst. The circle of team members -who may approve releases to the testing-security repository has also been -enlarged by Stefan Fritsch (since May), Nico Golde and Steffen Joeris -(both added recently). - -If you are interested in joining the team, we always need more people, -and it''s not very hard to contribute in very small ways that have large -impacts! Contact us if you are interested. You may want to also look at -our helping page[7]. - -So far so good. We hope to keep you updated on testing security issues -more regularly. - -Yours, -Testing Security team - - -[0]: http://testing-security.debian.net/ -[1]: http://lists.alioth.debian.org/mailman/listinfo/secure-testing-announce -[2]: http://security-tracker.debian.net/tracker/ -[3]: http://security-tracker.debian.net/tracker/status/release/unstable -[4]: http://testing-security.debian.net/uploading.html -[5]: http://security-tracker.debian.net/tracker/status/release/testing -[6]: http://svn.debian.org/wsvn/secure-testing/data/embedded-code-copies?op=file&rev=0&sc=0 -[7]: http://testing-security.debian.net/helping.html Deleted: doc/bits_2008_06_x ==================================================================--- doc/bits_2008_06_x 2011-01-18 02:17:42 UTC (rev 15916) +++ doc/bits_2008_06_x 2011-01-18 02:17:49 UTC (rev 15917) @@ -1,146 +0,0 @@ -Hi fellow developers, - -It''s been some time since our last email. Much has happened since then -with regards to the security support of Debian''s testing distribution. - - -General security support for testing ------------------------------------- - -The Debian Testing Security team is very near to providing full -security support for the testing distribution. At the time of the last -email, two blockers for full security support were present. However, -we now are able to process embargoed issues (more on that below), so -we are happy to announce that only one blocker remains. The only -remaining blocker for full security support at this point is the -kernel. We are talking to the kernel security team about providing -testing-security support, but at the moment this task lacks -manpower. If you are willing to work on this, please feel free to -contact us. Otherwise, in terms of security at this point we recommend -using the stable kernel or if that is not an option, the unstable -kernel. Also, we would like to state that packages that are not -security supported for stable are likewise unsupported for -testing. This list includes all packages in contrib and non-free, as -well as the ones that are marked unsupported (for example, -kfreebsd). The maintainers are solely responsible for security and -there won''t be any DTSAs for such packages. - - -Security status of the current testing distribution (lenny) ------------------------------------------------------------ - -With some pride we can say that testing has never been in such good -shape security wise. The tracker reflects very accurately the current -known security issues in the testing distribution[0]. Our new -announcement emails[1] provide a notification for users whenever a new -security fix reaches testing, whether through migration from unstable -or DTSA for testing-security. Also fewer packages are getting removed -from testing because of security issues. - -In order to reach a wider audience with security updates for testing -and due to the beta1 release of the lenny installer including the -testing-security repository in the apt-sources, this new mailing list -was created. We highly recommend that every user who runs Debian -testing and is concerned about security subscribes[1] to this list - -Note: this list is a replacement of the old secure-testing-announce -list hosted on alioth which has been removed. - - -Security status of the next testing distribution (lenny+1) ----------------------------------------------------------- - -After the release of lenny, there will probably be no security support -for the new testing distribution for some time. It is not clear yet -how long this state will last. Users of testing who need security -support are advised to change their sources.list entries from -"testing" to "lenny" now and only switch to lenny+1 after the begin of -its security support is announced. There will be another announcement -with more details well before the release of lenny. - - -Embargoed issues and access to wider security information ---------------------------------------------------------- - -Parts of the Testing Security Team have been added to the -team at security.debian.org alias and are thus also subscribed to the -vendor-sec mailing list where embargoed security issues are -coordinated and discussed between Linux vendors before being released -to the public. The embargoed security queue on security-master will be -used to prepare DTSAs for such issues. This is a major change as the -Testing Security Team was not able to prepare updates for security -issues under embargo before. If a DTSA was prepared for an embargoed -issue in your package, you will either be contacted by us before the -release or you will be notified through the BTS. Either way, you will -most likely get an RC bug against your package including the patch -used for the DTSA. This way you can prepare updates for unstable and -the current unfixed unstable package does not migrate to testing, -where it would overwrite the DTSA. - - -Freeze of lenny coming up -------------------------- - -With the lenny release approaching, the Debian release team will at -some stage freeze the testing archive. This means it is even more -important to stay in close contact with the Debian Testing Security -team to coordinate security updates for the testing distribution. If -one of your packages is affected by an unembargoed security issue, -please contact us through the public list of the team[2] and fix the -issue in unstable with high urgency. Please send as much information -as possible, including patches, ways to reproduce the issue and -further descriptions. If we ask you to prepare a DTSA, please follow -the instructions on the testing-security webpage[3] and go ahead with -the upload. If your package is affected by an embargoed issue, email -the private list[4] and if we should ask you to upload a DTSA, use the -embargoed upload queue (which is the same than for stable/oldstable). - - -Handling of security in the unstable distribution -------------------------------------------------- - -First of all, unstable does not have official security support. The -illusion that the Debian Testing Security team also officially -supports unstable is not true. Security issues in unstable, especially -when the package is not in testing, are not regarded as high urgency -and are only dealt with when there is enough spare time. - -However, it is true that most of our security updates migrate through -unstable to prevent doubled workload. For this purpose, we urge every -maintainer to upload their security fixes with high urgency and -mention the CVE ids (if given) in their changelogs. Because we let -fixes migrate, it often happens that we NMU packages. An up to date -list of NMUs done by the security team can be found in our -repository[5]. These NMUs are done as the need arises and do not -always follow the given NMU rules, because security updates are -treated with higher urgency. - - -Call for new members: ---------------------- - -The team is still looking for new members. If you are interested in -joining the Debian Testing Security team, please speak up and either -write to the public mailing list[2] or approach us on the internal -mailing list[6]. Note that you do not have to be a DD for all tasks. -Check out our call for help[7] for more information about the tasks -and the requirements if you want to join the team. We also look for -people with experienced knowledge regarding the kernel. We would like -to start security support for the kernel packages in testing and -prepare DTSAs for the unembargoed kernel issues. For this task, it -would be good to have one or two designated people in the Debian -Testing Security team to only concentrate on this task. If you are -interested, please speak up. - - -Yours, -Testing Security - -[0]: http://security-tracker.debian.net/tracker/status/release/testing -[1]: http://lists.debian.org/debian-testing-security-announce -[2]: secure-testing-team at lists.alioth.debian.org -[3]: http://testing-security.debian.net/uploading.html -[4]: team at security.debian.org -[5]: http://svn.debian.org/wsvn/secure-testing/data/NMU/list?op=file&rev=0&sc=0 -[6]: team at testing-security.debian.net -[7]: http://lists.debian.org/debian-devel-announce/2008/03/msg00007.html Copied: doc/historic/README (from rev 15916, data/README) ==================================================================--- doc/historic/README (rev 0) +++ doc/historic/README 2011-01-18 02:17:49 UTC (rev 15917) @@ -0,0 +1,55 @@ +The checklist program can be run on a system with madison available to +check vulnerability info from the list files against what packages are in +testing. Also the updatelist is used by the Makefile to update the lists +with new info from Mitre. So the various list files need a common, machine +parsable format. That format is: + +begin claimed by foo + +[date] id description + {id id id} + UPCASE: text + - package [version] (note; note; note) + +end claimed by foo + + +Without writing a format grammar, because this is really rather ad-hoc and +probably will be replaced with something better: + +[date] + The date of the advisory in the form dd Mmm YYYY (01 Nov 2004). + Optional, only given for DSAs at the moment. +id + DSA-nnn-n, CVE-YYY-nnnn, etc +description + Pretty much freeform description of the problem. Short and optional. + By convention, if it''s taken from upstream data source + automatically, it will be in parens. If you want to use a different + description, put it in square brackets instead. +{id id id} + This is used to link to other ids that describe the same hole. + Generally used to link DSAs to CVEs and back. +UPCASE + Any word in upper case, typically NOTE, HELP, TODO, RESERVED, + REJECTED, NOT-FOR-US. + May be repeated for each entry. +- package [version] (note; notes; note) + Indicates that the problem is fixed in the given version of the + package. May repeat for other packages. If the problem is unfixed, + use "<unfixed>" as the version. If the problem doesn''t affect Debian, + use "<not-affected>" as the version. If the problem only affects + shipped releases, for which the stable security team provides + security support and the affected package has meanwhile been removed + from the archive use "<removed>" as the version. If the problem + affects a particular release, prepend "[release]" before the + "- package" to reflect as much. + + The notes can be freeform, but some are understood by the tools, + including "bug #nnnnn", "bug filed", and "high", + "medium", "low", "unimportant" and "unknown" urgencies. + +begin claimed by foo +end claimed by foo + Marks a set of items that are being checked by someone. + Used to avoid duplicate work. Copied: doc/historic/TODO (from rev 15916, TODO) ==================================================================--- doc/historic/TODO (rev 0) +++ doc/historic/TODO 2011-01-18 02:17:49 UTC (rev 15917) @@ -0,0 +1,50 @@ +* Set up for DTSAs + + - Auto moderation of developer signed mails to -announce. + + - sndadvisory should remove TODO lines from the list file since the + advisory is complete + + - merge sndadvisory into dtsa script? + + - web DTSA pages should be built on the fly using the metadata in DTSA/ + so we don''t have to update things in two places when making a change, + and so releasing a DTSA does not involve copying html files around + + - The dtsa script should have support for updating the list file + when running it on an advisory that it''s already been run on before. + This would facilitate issuing asvisories, which often takes a few runs + before the final one is sent. Alternatively, get rid of the DTSA/list + file (do we need it for anything really?) + +* Merge stuff into security.debian.org. Long term, but we need to keep in + mind that the current archive setup is just to get bootstrapped. + +* Web overview + - checklist setup for unstable needs to be fixed to ignore Hurd + +* Florian''s overview should be moved to secure-testing.debian.net, but + Florian wants to resolve some issues before. + +* Write the script that digs through the security bugs + +* Write the script that handles the transfer between secure-testing and testing + wrt incomplete archs (aba) + +* Improve the developer''s reference wrt security bugs (micah) + +* Document that finalized syntax + +* Review open security bugs and tag the wrt versioned bug tracking + +* Create a repo of security patches + +* Retroactive updating of the list for not-affected and others + +* Document all our stuff and work + +* Implement the HELP tag and add it to some outstanding issues + +* Link source package specific overview into the PTS + + Copied: doc/historic/announce (from rev 15916, doc/announce) ==================================================================--- doc/historic/announce (rev 0) +++ doc/historic/announce 2011-01-18 02:17:49 UTC (rev 15917) @@ -0,0 +1,133 @@ +Subject: forming a security team for testing + +I''ve been talking to people about the idea of forming a security team for +the testing distribution for several months, and there seems to be enough +interest in improving testing''s security to make such a team a reality. +Most of the people in the CC list have indicated interest in the existence +of a testing security team; we''re interested in testing''s security for +diverse reasons including: use of testing at work, shipping products based +on testing, hoping to base derived Deban distributions on testing rather +than stable, wanting testing to be a viable choice for Debian users, and +so on. + +The team will consist of Debian developers and possibly others. Unless a +member of the Debian security team joins the Debian testing security team, +none of us will have any privileged information about future security +announcements. Anyone with interest and experience with security issues is +welcome to join the team. + +To talk about how I think this team would work on testing''s security, I +need to talk about two distinct stages, before the sarge release, and +after. + +Right now we''re at a point in the sarge release cycle where most of the +focus of a testing security team needs to be on identifying and fixing +sarge''s security problems and getting it ready for release. This means +checking to make sure that security problems that have already been fixed +in unstable and stable do not continue to affect testing, as well as +dealing with new holes. I don''t think Debian has really invested much +effort into this in past releases, but if we want sarge to be a secure +release from the beginning, it''s important to do it. + +If we do that work now, then after sarge is released, we will only need to +worry about keeping track of new security holes and releasing security +advisories. + +Work before sarge''s release: +--------------------------- + +Some work on checking sarge for old security issues has already been done. +With help from some of the people in the CC list, I coordinated a scan of +every DSA since woody''s release and we checked all 450 DSAs to see if fixes +for those security holes had reached testing. Suprisingly, we found some +security holes that had not gotten fixed in testing in a year or more, +though those were the exceptions. + +I''ve continued to do this checking as each new DSA is released, as well as +filing bugs, working with the security team and Release Managers, and doing +a few NMUs to get the fixes in. The current list of unfixed DSAs sarge is: + + joeyh at newraff:~/sarge-checks>./checklist.pl DSA/list + kpdf (unfixed; bug #278173) for DSA-573-1 + gpdf 2.8.0-1 needed, have 2.8.0-0.1 for DSA-573-1 + libpng3 1.2.5.0-9 needed, have 1.2.5.0-8 for DSA-571-1 + kdelibs 4:3.2.3-3.sarge.1 needed, have 4:3.2.3-2 for DSA-539 + +But checking DSAs is not a complete check of known security issues that +might still be lurking in sarge. To do a really complete scan means looking +through old non-DSA advisories as far back as is reasonable or doable. I +think doing this scan and the following up on it to fix things would be a +good first step for the team, and a way to begin figuring out how the team +will work together. + +Mitre has a fairly comprehensive list of security problems in their list of +CAN numbers[1]. There have been about 1000 CANs allocated this year, some +of them are not released yet, some were covered by the DSAs and I''ve +checked a few hundred, so there are about 400 left. I think 4 or 5 people +could check these in a reasonable time period, and maybe do 2003 as well. +So if you''re interested in checking some of the CANs to see if they are +fixed in sarge, here''s what to do: + + - Sign up for an alioth account if you don''t have one. + - Send me your userid to be added to the secure-testing project on alioth. + - svn co svn+ssh://svn.debian.org/svn/secure-testing/sarge-checks + - Edit the CAN/list file and claim a range of CANs to check. Note that + CANs that have already been checked as part of the DSA checks are so + marked. Commit the file. + - Go through your claimed CANs and check changelogs, advisories, do + testing, whatever is needed to satisfy yourself whether sarge is + vulnerable or not, and record your findings in the CANs file. + - If it''s also not fixed in sid, then be sure to file a RC bug; if it''s + fixed in sid but not in sarge, be sure to record it as a critical issue + on the Release Managers'' sarge issue tracker here: + http://www.wolffelaar.nl/~sarge/ + Do other followup as appropriate to get the fix into sarge. + +Along with looking for old unfixed holes in sarge and working on getting +them fixed, we should also keep up-to-date with tracking new holes as +they''re announced. + +Work after sarge''s release: +-------------------------- + +By the time sarge releases, I hope to already have a team that has worked +together on getting sarge secure, and we''ll have a testing distribution +with no old security holes in it. This would be a great time to start +regular security updates for testing. I''ve been considering some acheivable +goals for the testing security team, and come up with this list: + + - Provide timely security updates for testing, with fixes being made + available no more than four days after a DSA is released. + - Work with maintainers to include security fixes from unstable + that do not have DSAs. + - Maintain a public database and statistics about the current state of + security in testing. + +Exactly how we would handle doing security updates for testing will have to +be decided by the team. We will probably want to release gpg signed DTSA +(Debian Testing Security Advisories) to a mailing list and web site. It +seems likely that we could use the testing-proposed-updates queue to build +updates, if it gets set up for all arches and continues to work after the +sarge release. For tracking issues, we may need to come up with our own +system, or we may be able to use the BTS, it if gets the promised version +tracking support added to it. We might want to set up our own security +repository separate from testing, or not. + +I think it''s important that the team not rely on others in Debian to do the +work for infrastructure we need; if it''s available then great, but if not +we should be prepared to work around it ourselves. + +While it''s again up to the eventual team to decide for sure, I suggest that +we build security updates against the packages in testing. I also suggest +that unlike security updates to package in stable, we should most often not +backport fixes to the versions of packages in testing. More often we will +simply take the fixed package from unstable, recompile it if necessary, and +qualify it for the testing distribution. This may involve upgrading to new +upstream releases, and so there''s a chance our updates will introduce new +bugs. Still, that''s not as bad as unfixed security holes, and for a small +team with limited manpower, this is a useful shortcut. We can make sure +that our users realise that using our security updates can expose them to +upgrade bugs. + +[1] http://cve.mitre.org/cve/candidates/downloads/full-can.html + Copied: doc/historic/announce.2 (from rev 15916, doc/announce.2) ==================================================================--- doc/historic/announce.2 (rev 0) +++ doc/historic/announce.2 2011-01-18 02:17:49 UTC (rev 15917) @@ -0,0 +1,127 @@ +Subject: announcing the beginning of security support for testing + +--------------------------------------------------------------------------- +Debian Testing Security Team September 9th, 2005 +secure-testing-team at lists.alioth.debian.org +http://testing-security.debian.net/ +--------------------------------------------------------------------------- + +Security support for testing + +The Debian testing security team is pleased to announce the beginning of +full security support for Debian''s testing distribution. We have spent the +past year building the team, tracking and fixing security holes, and +creating our infrastructure, and now the final pieces are in place, and +we are able to offer security updates and advisories for testing. + +We invite Debian users who are currently running testing, or who would like +to switch to testing, to subscribe to the secure-testing-announce mailing +list, which will be used to announce security updates. +<http://lists.alioth.debian.org/mailman/listinfo/secure-testing-announce> + +We also invite you to add the following lines to your apt sources.list file, +and run "apt-get update && apt-get upgrade" to make the security updates +available. + +deb http://secure-testing.debian.net/debian-secure-testing etch/security-updates main contrib non-free +deb-src http://secure-testing.debian.net/debian-secure-testing etch/security-updates main contrib non-free + +Alternatively, replace "secure-testing.debian.net" in the above lines with +a mirror near you: + + ftp.de.debian.org (located in Germany) + ftp.nl.debian.org (located in the Netherlands) + the.earth.li (located in UK) + ftp2.jp.debian.org (located in Japan) + farbror.acc.umu.se (located in Sweden) + +Some initial advisories have already been posted to the list and are already +available in the repository. These include: + +[DTSA-1-1] New kismet packages fix remote code execution +[DTSA-2-1] New centericq packages fix multiple vulnerabilities +[DTSA-3-1] New clamav packages fix denial of service and privilege escalation +[DTSA-4-1] New ekg packages fix multiple vulnerabilities +[DTSA-5-1] New gaim packages fix multiple remote vulnerabilities +[DTSA-6-1] New cgiwrap packages fix multiple vulnerabilities +[DTSA-7-1] New mozilla packages fix frame injection spoofing +[DTSA-8-1] New mozilla-firefox packages fix several vulnerabilities +[DTSA-9-1] New bluez-utils packages fix bad device name escaping +[DTSA-10-1] New pcre3 packages fix buffer overflow +[DTSA-11-1] New maildrop packages fix local privilege escalation +[DTSA-12-1] New vim packages fix modeline exploits +[DTSA-13-1] New evolution packages fix format string vulnerabilities + +Note that while all of Debian''s architectures are supported, we may release +an advisory before fixed packages have built for all supported +architectures. If so, the missing builds will become available as they +complete. + +We are not currently issuing advisories for security fixes that reach +testing through normal propagation from unstable, but only for security +fixes that are made available through our repository. So users of testing +should continue to upgrade their systems on a regular basis to get such +security fixes. We might provide information about security issues that +have been fixed through regular testing propagation in the future, though. + +Note that this announcement does not mean that testing is suitable for +production use. Several security issues are present in unstable, and an +even larger number are present in testing. Our beginning of security +support only means that we are now able to begin making security fixes +available for testing nearly as quickly as for unstable. The testing +security team''s website has information about what security holes are still +open, and users should use this information to make their own decisions +about whether testing is secure enough for them. + +Finally, we are still in the process of working out how best to serve users +of testing and keep your systems secure, and we welcome comments and +feedback about ways to do better. You can reach the testing security team +at secure-testing-team at lists.alioth.debian.org. + +If you want to become a mirror, please see +http://testing-security.debian.net/mirroring.html + +Debian developers who would like to upload fixes for security holes in +testing to the repository can do so, following the instructions on our web +site. + +For more information about the testing security team, see our web site. +<http://testing-security.debian.net/>. + +---------------------------------------------------------------------------- + +The archive signing key that is used to sign the apt repository is +included below and can also be downloaded from +http://testing-security.debian.net/ziyi-2005-7.asc + +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v1.4.1 (GNU/Linux) + +mQGiBEMM7wgRBACs/rcYtu++PqBV5t6qTf9FsjJYZV4OUoQmtK849PdHUoVONh/b +yz0vmP4QPCJXraFYiiiaur8WLcOphwY3DFaz0quozxl3pZfJjN27qDdTTDUKk1Kq +zFQYTsDaXjSh0nRGW3gFmbyIqTL8sVGOAAz2KbrtLEQE11qYZjzvylEf4wCgv6ss +HgQ7AcSBjpvm72e9PvSuDhMD/1kV0Snq9ilvCv7QLHBo/JnNgiCwxh5nEnPWHYjo +SB0I99nuFMAzooAXTQhU3Hx1/sdZ3SMk1hWwZCPI0iNqESH2a3ib0YZt0DycWa3Y +KxXIJet92u3ApSMVbp6OzzL7REoNCAgg6F/lrl+lVtnHbKiKBMZlKMsp+kQLSXqr +Ki0pA/wIkkp7mJ7IiVS0fy9gueuiLqJKR6+i092J0RXsQesQX4OTC2DY3IICB22Q +HfE8WNVZ2iPuWK0ymg6GqAHplp7bfVZMzfMSTMc+hj9WnmEVRRjLH66tsq1XHGEQ +qg/mbkmeXwUwxAT1WGClcRWJqODmWE7KhkjKwGklYgzBoxwqkLRDc2VjdXJlLXRl +c3RpbmcgQXJjaGl2ZSBLZXkgMjAwNS03IDxrYXRpZUBzZWN1cmUtdGVzdGluZy5k +ZWJpYW4ubmV0PohkBBMRAgAkBQJDDO8IAhsDBQkElVcABgsJCAcDAgMVAgMDFgIB +Ah4BAheAAAoJEJRqpuGHIucecvgAoK3nnF0yEwpNeQASyerh4wxRblZzAJ9h8rEF +YldbZt/zYA53k2/y2m+s7LkCDQRDDO8gEAgAm1Y/a//sVe6fEANvLc5M5pEsoRkP +LNKcH1O/og2mID8/gBV99LRfRnjcV8xhF5cWIlb4Es3KvQxmvxo6zGEfsMJWoezq +H+2agIra78dfb0B1AyHuvwSRMc9sVy+3CuegM8bD3ss+4ta3rNLChpVrE8DxJZum +ecqkNSQVOkqeAOl2JIQ/xBkLg1hjQA8bXW5AiUu4/XAQAe04w7YNfdsApeCfpKEW +Atg54CD9uRbfSwnd2uYHYcosmBMhryNrHy27RkyS0BFWaL/1gfBqua7VujcnCm6S +nbhB4t3vk/AnEsPJixtW/tOC3a3BaPqGsTq848e/PzmWY/8y9mvXwbxq5wADBQgA +gNtB3u8TCN2Z4wkKrg19LohivQzJCXFfRi2ZydOe9E3SbSi6ggthjvGhHv2lTHEu +e/4wBOta3a9pUpVdMgRFL1UuJy3nPd1yPC0dOegJj+lMkeMGcdKolJUMdoA+ieZ2 +lwkrT1b5GdFBSRn8hsuRtZi69QtzoHzDR5lg9ynwTJ+mLlO8r83HmdxbXsnmGlxy +ZWRoqiSIl7mRLHp2tuFw9chgJ1nqwewTmCj85Aj/YsbGmqOJcnp98Jk0GDiP/le4 +rktZAqG2blwVpC2DLLiQSqcYS5jjq/iiGnYEIVG+nPa/29OuoX40zwKqBcy5I8rJ +ZIq2hzbazsyg2Sd3vhmZuohPBBgRAgAPBQJDDO8gAhsMBQkElVcAAAoJEJRqpuGH +IuceRqUAn3Q8msRUTsp882QINWyy5fqTehb5AJ9+kz3xq+7ooAwkdgpNOiz7ogxp +Qg=+=KBNL +-----END PGP PUBLIC KEY BLOCK----- Copied: doc/historic/announce.3 (from rev 15916, doc/announce.3) ==================================================================--- doc/historic/announce.3 (rev 0) +++ doc/historic/announce.3 2011-01-18 02:17:49 UTC (rev 15917) @@ -0,0 +1,46 @@ +X-pseudo-subject: For those who care about testing security +Subject: Testing security archive move + +--------------------------------------------------------------------------- +Debian Testing Security Team May 12th, 2006 +secure-testing-team at lists.alioth.debian.org +http://testing-security.debian.net/ +--------------------------------------------------------------------------- + +Testing security archive move + +The Debian testing security team is pleased to announce the integration of +the secure testing archive to http://security.debian.org + +We invite Debian users who are currently running testing, or who would like +to switch to testing, to subscribe to the secure-testing-announce mailing +list, which will be used to announce security updates. +<http://lists.alioth.debian.org/mailman/listinfo/secure-testing-announce> + +We also invite you to add the following lines to your apt sources.list file, +and run "apt-get update && apt-get upgrade" to make the security updates +available. + +deb http://security.debian.org etch/updates main contrib non-free +deb-src http://security.debian.org etch/updates main contrib non-free + +This replaces the previous http://secure-testing.debian.net/ lines which should +no longer be used. There will be a transition period where packages are +uploaded to both, but you should now use the http://security.debian.org lines. + +Note that while all of Debian''s architectures are supported, we may release +an advisory before fixed packages have built for all supported +architectures. If so, the missing builds will become available as they +complete. + +Debian developers who would like to upload fixes for security holes in +testing to the repository can do so, following the instructions on our web +site. + +Finally, we are still in the process of working out how best to serve users +of testing and keep your systems secure, and we welcome comments and +feedback about ways to do better. You can reach the testing security team +at secure-testing-team at lists.alioth.debian.org. + +For more information about the testing security team, see our web site. +<http://testing-security.debian.net/>. Copied: doc/historic/bits_2007_10_x (from rev 15916, doc/bits_2007_10_x) ==================================================================--- doc/historic/bits_2007_10_x (rev 0) +++ doc/historic/bits_2007_10_x 2011-01-18 02:17:49 UTC (rev 15917) @@ -0,0 +1,158 @@ +Hi fellow developers, + +We finally got around to sending this email to inform you about the +current state of the Testing Security team and its work. + +If you at any stage have questions about the Testing Security team, +please feel free to come to #debian-security on OFTC or write an email to +secure-testing-team at lists.alioth.debian.org . + + + +Security status of testing +-------------------------- + +Thanks to an increased size of our team, Debian Lenny is in good shape with +respect to security and has been so for some time. We expect to be able to +keep up this level of security support (at least) until the release of Lenny. + +In the weeks immediately after the release of Etch there were some security +support problems for testing. We hope to improve our processes so that we won''t +run into the same problems after the release of Lenny. There will be another +announcement about the state of these efforts well before Lenny''s release. + +Our web page[0] has been updated to reflect the current status. + + + +New announcement mails +---------------------- + +Previously we were mimicing the announcement method that Stable security +uses by providing DTSAs (Debian Testing Security Advisories). However, +these were only prepared for issues that required us to manually prepare +package updates, thereby forcing a package into testing that would not +otherwise migrate automatically in a reasonable time-frame. This resulted +in very infrequent DTSAs because most of the security issues were dealt +with by fixed packages migrating from unstable to testing. + +Therefore, we set up daily announcements (delivered to the +announcement mailinglist[1]), which include all new security fixes for +the testing distribution. Most commonly the email shows the migrated +packages. If there has been a DTSA issued for a package, this will +show up as well. + +In some rare cases, the Testing Security team asks the release +managers to remove a package from testing, because a security fix in a +reasonable amount of time seems to be unlikely and the package should +not be part of testing in our opinion. In this case, the email will +additionally include information about the removal. + + + +Efforts to fix security issues in unstable +------------------------------------------ + +The Testing Security team works mainly on assigned CVE numbers but +also follows security relevant bugs reported via the BTS. If you +encounter a security problem in one of your packages, which does not +have a CVE number yet, please contact the Testing Security team. It +is important to have a CVE id allocated, because they allow us to +track the security problem in all Debian branches (including Debian +stable). When you upload a security fix to unstable, please also +include the CVE id in your changelog and set the urgency to high. The +tracker used by both the Testing and Stable Security teams, can be +found on this webpage[2]. + +The main task of the Testing Security team is to review CVE id +relevance to Debian, informing Debian maintainers by filing bugs to +the BTS (if not already done) and chasing the security fix to move it +faster into testing. Whenever possible, we try to provide patches and +sometimes also NMU the packages in unstable. Please do not regard an +NMU by the Testing Security team as a bad sign. We try to assist you +in the best way to keep Debian secure. Also keep in mind that not all +security related problems have a grave severity, so do not be +surprised if a normal bug in the Debian BTS results in assigning a CVE +id for it. An up to date overview of unresolved issues in unstable +can be found on the tracker website[3]. + + + +Efforts to fix security issues in testing +----------------------------------------- + +Our efforts to keep testing secure are primarily focused around +letting fixed packages migrate from unstable. In order to +ensure this migration process, we are in close contact with the +release team and request priority bumps to speed up the +migration. Sometimes a package is kept from migrating due to a +transition, the occurrence of new bugs in unstable, buildd issues or +other problems. In these cases, the Testing Security team considers +the possibility of issuing a DTSA. We always appreciate it when the +maintainer contacts us about their specific security problem. When we +are in communication then we can assist by telling you whether to wait +for migration or to prepare an upload to testing-security. For non-DDs, +these uploads can be sponsored by every DD, preferable by a member of +the Testing Security team. If you get a go for an upload to +testing-security by one of us, please follow the guidelines on the +webpage[4]. If we feel the need to issue a DTSA and were not contacted +by the maintainer, we normally go ahead and upload ourselves, although +efforts by maintainer to be involved in this process is much preferred. + +An up to date overview of unresolved issues in testing can be found on +the tracker website[5]. + + + +Embedded code copies +-------------------- + +There are a number of packages including source code from external +libraries, for example poppler is included in xpdf, kpdf and others. +To ensure that we don''t miss any vulnerabilities in packages that do so +we maintain a list[6] of embedded code copies in Debian. It is preferable +that you do not embed copies of code in your packages, but instead link +against packages that already exist in the archive. Please contact us about +any missing items you know about. + + + +Some statistics +--------------- + +* 35 DTSAs had been issued in 2007 so far for over 139 CVE ids +* 39 NMUs were uploaded in the last two months to fix security flaws +* 49 security related uploads migrated to testing in the last month for 71 CVE ids +* 5500 CVE ids had been processed by the team so far for this year + + + +New Testing Security Members +---------------------------- + +New members are constantly added to the team. The most recent additions are +Nico Golde, Steffen Joeris, and Thijs Kinkhorst. The circle of team members +who may approve releases to the testing-security repository has also been +enlarged by Stefan Fritsch (since May), Nico Golde and Steffen Joeris +(both added recently). + +If you are interested in joining the team, we always need more people, +and it''s not very hard to contribute in very small ways that have large +impacts! Contact us if you are interested. You may want to also look at +our helping page[7]. + +So far so good. We hope to keep you updated on testing security issues +more regularly. + +Yours, +Testing Security team + + +[0]: http://testing-security.debian.net/ +[1]: http://lists.alioth.debian.org/mailman/listinfo/secure-testing-announce +[2]: http://security-tracker.debian.net/tracker/ +[3]: http://security-tracker.debian.net/tracker/status/release/unstable +[4]: http://testing-security.debian.net/uploading.html +[5]: http://security-tracker.debian.net/tracker/status/release/testing +[6]: http://svn.debian.org/wsvn/secure-testing/data/embedded-code-copies?op=file&rev=0&sc=0 +[7]: http://testing-security.debian.net/helping.html Copied: doc/historic/bits_2008_06_x (from rev 15916, doc/bits_2008_06_x) ==================================================================--- doc/historic/bits_2008_06_x (rev 0) +++ doc/historic/bits_2008_06_x 2011-01-18 02:17:49 UTC (rev 15917) @@ -0,0 +1,146 @@ +Hi fellow developers, + +It''s been some time since our last email. Much has happened since then +with regards to the security support of Debian''s testing distribution. + + +General security support for testing +------------------------------------ + +The Debian Testing Security team is very near to providing full +security support for the testing distribution. At the time of the last +email, two blockers for full security support were present. However, +we now are able to process embargoed issues (more on that below), so +we are happy to announce that only one blocker remains. The only +remaining blocker for full security support at this point is the +kernel. We are talking to the kernel security team about providing +testing-security support, but at the moment this task lacks +manpower. If you are willing to work on this, please feel free to +contact us. Otherwise, in terms of security at this point we recommend +using the stable kernel or if that is not an option, the unstable +kernel. Also, we would like to state that packages that are not +security supported for stable are likewise unsupported for +testing. This list includes all packages in contrib and non-free, as +well as the ones that are marked unsupported (for example, +kfreebsd). The maintainers are solely responsible for security and +there won''t be any DTSAs for such packages. + + +Security status of the current testing distribution (lenny) +----------------------------------------------------------- + +With some pride we can say that testing has never been in such good +shape security wise. The tracker reflects very accurately the current +known security issues in the testing distribution[0]. Our new +announcement emails[1] provide a notification for users whenever a new +security fix reaches testing, whether through migration from unstable +or DTSA for testing-security. Also fewer packages are getting removed +from testing because of security issues. + +In order to reach a wider audience with security updates for testing +and due to the beta1 release of the lenny installer including the +testing-security repository in the apt-sources, this new mailing list +was created. We highly recommend that every user who runs Debian +testing and is concerned about security subscribes[1] to this list + +Note: this list is a replacement of the old secure-testing-announce +list hosted on alioth which has been removed. + + +Security status of the next testing distribution (lenny+1) +---------------------------------------------------------- + +After the release of lenny, there will probably be no security support +for the new testing distribution for some time. It is not clear yet +how long this state will last. Users of testing who need security +support are advised to change their sources.list entries from +"testing" to "lenny" now and only switch to lenny+1 after the begin of +its security support is announced. There will be another announcement +with more details well before the release of lenny. + + +Embargoed issues and access to wider security information +--------------------------------------------------------- + +Parts of the Testing Security Team have been added to the +team at security.debian.org alias and are thus also subscribed to the +vendor-sec mailing list where embargoed security issues are +coordinated and discussed between Linux vendors before being released +to the public. The embargoed security queue on security-master will be +used to prepare DTSAs for such issues. This is a major change as the +Testing Security Team was not able to prepare updates for security +issues under embargo before. If a DTSA was prepared for an embargoed +issue in your package, you will either be contacted by us before the +release or you will be notified through the BTS. Either way, you will +most likely get an RC bug against your package including the patch +used for the DTSA. This way you can prepare updates for unstable and +the current unfixed unstable package does not migrate to testing, +where it would overwrite the DTSA. + + +Freeze of lenny coming up +------------------------- + +With the lenny release approaching, the Debian release team will at +some stage freeze the testing archive. This means it is even more +important to stay in close contact with the Debian Testing Security +team to coordinate security updates for the testing distribution. If +one of your packages is affected by an unembargoed security issue, +please contact us through the public list of the team[2] and fix the +issue in unstable with high urgency. Please send as much information +as possible, including patches, ways to reproduce the issue and +further descriptions. If we ask you to prepare a DTSA, please follow +the instructions on the testing-security webpage[3] and go ahead with +the upload. If your package is affected by an embargoed issue, email +the private list[4] and if we should ask you to upload a DTSA, use the +embargoed upload queue (which is the same than for stable/oldstable). + + +Handling of security in the unstable distribution +------------------------------------------------- + +First of all, unstable does not have official security support. The +illusion that the Debian Testing Security team also officially +supports unstable is not true. Security issues in unstable, especially +when the package is not in testing, are not regarded as high urgency +and are only dealt with when there is enough spare time. + +However, it is true that most of our security updates migrate through +unstable to prevent doubled workload. For this purpose, we urge every +maintainer to upload their security fixes with high urgency and +mention the CVE ids (if given) in their changelogs. Because we let +fixes migrate, it often happens that we NMU packages. An up to date +list of NMUs done by the security team can be found in our +repository[5]. These NMUs are done as the need arises and do not +always follow the given NMU rules, because security updates are +treated with higher urgency. + + +Call for new members: +--------------------- + +The team is still looking for new members. If you are interested in +joining the Debian Testing Security team, please speak up and either +write to the public mailing list[2] or approach us on the internal +mailing list[6]. Note that you do not have to be a DD for all tasks. +Check out our call for help[7] for more information about the tasks +and the requirements if you want to join the team. We also look for +people with experienced knowledge regarding the kernel. We would like +to start security support for the kernel packages in testing and +prepare DTSAs for the unembargoed kernel issues. For this task, it +would be good to have one or two designated people in the Debian +Testing Security team to only concentrate on this task. If you are +interested, please speak up. + + +Yours, +Testing Security + +[0]: http://security-tracker.debian.net/tracker/status/release/testing +[1]: http://lists.debian.org/debian-testing-security-announce +[2]: secure-testing-team at lists.alioth.debian.org +[3]: http://testing-security.debian.net/uploading.html +[4]: team at security.debian.org +[5]: http://svn.debian.org/wsvn/secure-testing/data/NMU/list?op=file&rev=0&sc=0 +[6]: team at testing-security.debian.net +[7]: http://lists.debian.org/debian-devel-announce/2008/03/msg00007.html Copied: doc/historic/lenny_release (from rev 15916, doc/lenny_release) ==================================================================--- doc/historic/lenny_release (rev 0) +++ doc/historic/lenny_release 2011-01-18 02:17:49 UTC (rev 15917) @@ -0,0 +1,35 @@ +Subject: Temporary suspension of testing security support after release of 5.0 (lenny) + +Due to the experiences we made after the last stable Debian release, the +Testing Security Team believes that it will be impossible to provide proper +security support for the new testing (Debian "squeeze") in the weeks following +the release of Debian 5.0 (lenny). Therefore we will temporarily suspend +security support for Debian testing after the release. + +If you need security support, we strongly recommend that you now change your apt +sources.list entries to point to "lenny" instead of "testing". This way you +will automatically stay with "lenny" after its release as stable and will +receive the normal security support for Debian stable. After the begin of +security support for Debian "squeeze" is announced, you may safely upgrade to +testing again. + + +There are two reasons for this suspension: + +After a stable release it will take some time to get the security related buildd +infrastructure for the new testing in place. Since many people will be busy +celebrating the release, we don''t know how long this will take ;-) + +In addition to that, we expect that shortly after the release a new libc +version will be uploaded to unstable, which will block most packages from +migrating from unstable to testing. This means that no security fixes will +reach testing from unstable. Since the Testing Security Team does not have +enough members to backport all security fixes to testing, it will be impossible +to provide proper security support. After the last stable release (etch) it +took nearly two months until the new glibc reached testing. + +On the other hand, libc blocking most packages from migrating to testing also +means that the difference between stable and testing will not grow quickly in +the weeks after lenny release. Therefore staying with stable should be an +acceptable solution for most users during that time. If you absolutely need +newer packages, you may also consider using unstable instead of testing. Copied: doc/historic/mopb.txt (from rev 15916, data/mopb.txt) ==================================================================--- doc/historic/mopb.txt (rev 0) +++ doc/historic/mopb.txt 2011-01-18 02:17:49 UTC (rev 15917) @@ -0,0 +1,237 @@ +Issues affecting PHP 4 and PHP 5: + +41 PHP 5 sqlite_udf_decode_binary() Buffer Overflow Vulnerability +#TODO(medium) -> for PHP5, php4 uses a seperate php4-sqlite package. +[MOPB-41-php5.diff] + +34 PHP mail() Header Injection Through Subject and To Parameters +#TODO(medium) -> needs to be fixed, CVE-2007-1718 (php4 & php5, header +injection possible via some MTAs when set to process the headers for +recipients), Sarge''s php4 not affected +[MOPB-34-php5.diff] + +30 PHP _SESSION unset() Vulnerability +#TODO(low) -> hard to trigger remotely, CVE-2007-1700. (php4 & php5, code execution) +[MOPB-30-php5.diff] + +26 PHP mb_parse_str() register_globals Activation Vulnerability +#TODO(medium) -> functionally enables register_globals for any future requests, CVE-2007-1583 (php4 & php5, enables stealth register_globals for life of process) + +22 PHP session_regenerate_id() Double Free Vulnerability +#TODO(medium) -> locally exploitable to gain access to process memory, hard to do remotely, CVE-2007-1521 (php4 & php5, code execution) +[MOPB-22-php5.diff] + +10 PHP php_binary Session Deserialization Information Leak Vulnerability +#TODO(low) -> Can only leak 127 bytes of data, CVE-2007-1380 (php4 & php5, heap leak) +Check, to which extent this was covered by our backports of 5.2.1 patches +[MOPB-10-php5.diff] + + + +Issues affecting PHP 4 only: + +35 PHP 4 zip_entry_read() Integer Overflow Vulnerability +#TODO(medium) -> needs to be fixed, CVE-2007-1777 (php4, remote code execution) +[MOPB-35-php4.diff] + +32 PHP 4.4.5/4.4.6 session_decode() Double Free Vulnerability (U) +TODO(medium) -> needs to be fixed in php/etch and php/sarge (remote code execution) +[MOPB-32-php4.diff] + +04 PHP 4 unserialize() ZVAL Reference Counter Overflow +TODO (php4 only, gain execute control) +[MOPB-04-php4.diff] + + + +Issues affecting PHP 5 only: + +45 PHP ext/filter Email Validation Vulnerability +TODO(low) -> possible email header injections when coupled with other problems (php5 5.2.0, 5.2.1) +[MOPB-45-php5.diff] + +44 PHP 5.2.0 Memory Manager Signed Comparision Vulnerability +#TODO(medium) -> remotely exploitable via SOAP interfaces, CVE-2007-1889 (php5 5.2.0 only) + +42 PHP 5 php_stream_filter_create() Off By One Vulnerablity +#TODO(medium) -> needs to be fixed, CVE-2007-1824 (php5, remote code execution, though haven''t reproduced it) +[MOPB-42-php5.diff] + +23 PHP 5 Rejected Session Identifier Double Free Vulnerability +#TODO(medium) -> locally exploitable to gain access to process memory, hard to do remotely, CVE-2007-1522. (php5 5.2.0+, code execution) + +19 PHP ext/filter Space Trimming Buffer Underflow Vulnerability +#TODO(medium) -> for PHP5. CVE-2007-1453 (php5 5.2.0 only, code execution on big endian) + +18 PHP ext/filter HTML Tag Stripping Bypass Vulnerability +#TODO(medium) -> for PHP5. CVE-2007-1453 (php5 5.2.0 only, can avoid filters) + +17 PHP ext/filter FDF Post Bypass Vulnerability +#TODO(low) -> ...or possibly "broken as designed". CVE-2007-1452, (php5 5.2.0 only, can avoid filters) + +16 PHP zip:// URL Wrapper Buffer Overflow Vulnerability +#TODO(medium) -> possible remote data can result in code execution in 5.2.0 which uses the zip handler, CVE-2007-1399. (php5 5.2.0 only, code execution) + +14 PHP substr_compare() Information Leak Vulnerability +#TODO(low) -> corner-case where length+offset > INT_MAX, CVE-2007-1375 (php5, heap leak) +[MOPB-14-php5.diff] + + + + + +Done or resolved: + + +43 PHP msg_receive() Memory Allocation Integer Overflow Vulnerabilty +#N/A -> Only triggerable by malicious script, CVE-2007-1890 (php4 & php5, local code execution, possibly FreeBSD only) + +40 PHP imap_mail_compose() Boundary Stack Buffer Overflow Vulnerability +#Fixed in DSA-1264 and the respective PHP4/PHP5 packages, dupe CVE-2007-0906/CVE-2007-1825 + +39 PHP str_replace() Memory Allocation Integer Overflow Vulnerability +#Fixed in DSA-1264 and the respective PHP4/PHP5 packages, dupe CVE-2007-0906/CVE-2007-1885 + +38 PHP printf() Family 64 Bit Casting Vulnerabilities +#Fixed in DSA-1264 and the respective PHP4/PHP5 packages, dupe CVE-2007-0909/CVE-2007-1884 + +37 PHP iptcembed() Interruption Information Leak Vulnerability +#N/A -> Only triggerable by malicious script, CVE-2007-1883 (php4 & php5, local code execution) + +36 PHP session.save_path open_basedir Bypass Vulnerability +#N/A -> open_basedir bypasses not supported, CVE-2007-1461 + +33 PHP mail() Message ASCIIZ Byte Truncation +#N/A -> This is a bug, but not security-relevant, CVE-2007-1717 (php4 & php5) + +31 PHP _SESSION Deserialization Overwrite Vulnerability +#N/A -> register_globals not supported, already fixed in DSA-1264, dupe CVE-2007-0910/CVE-2007-1701 (php4 & php5, very hard to trigger remotely, code execution) + +29 PHP 5.2.1 unserialize() Information Leak Vulnerability +#N/A -> Only affects PHP 5.2.1, CVE-2007-1649 (heap leak via broken "S" unserializer, which should maybe be removed from 5.2.1, since it is only for future compatibility and is totally broken?) +[MOPB-29-php5.diff] + +28 PHP hash_update_file() Already Freed Resource Access Vulnerability +#N/A -> Only triggerable by malicious script, CVE-2007-1581 (php5, local malicious stream handler leads to code execution) + +27 PHP ext/gd Already Freed Resource Access Vulnerability +#N/A -> Only triggerable by malicious script, CVE-2007-1582 (php4 & php5, local malicious error handler leads to code execution) + +25 PHP header() Space Trimming Buffer Underflow Vulnerability +#Fixed in Etch as part of the 5.2.1 backport, dupe CVE-2007-0907/CVE-2007-1584 + +24 PHP array_user_key_compare() Double DTOR Vulnerability +#N/A -> Only triggerable by malicious script, CVE-2007-1484 (php4 & php5, code execution) +[MOPB-24-php5.diff] + +21 PHP compress.bzip2:// URL Wrapper safemode and open_basedir Bypass Vulnerability +#N/A -> Safemode and open_basedir bypasses not supported, CVE-2007-1461 + +20 PHP zip:// URL Wrapper safemode and open_basedir Bypass Vulnerability +#N/A -> Safemode and open_basedir bypasses not supported, CVE-2007-1460 + +15 PHP shmop Functions Resource Verification Vulnerability +#N/A -> Only triggerable by malicious script, could be used to read/write arbitrary memory, CVE-2007-1376 (php4 & php5, arbitrary memory leakage) +[MOPB-15-php5.diff] + +13 PHP 4 Ovrimos Extension Multiple Vulnerabilities +#N/A -> Ovrimos support not provided in any debian php packages, CVE-2007-1379, CVE-2007-1378 + +12 mod_security POST Rules Bypass Vulnerability +#N/A -> applies to modsecurity, not packaged for sarge/etch/(sid?), CVE-2007-1359. + +11 PHP WDDX Session Deserialization Information Leak Vulnerability +#Fixed in DSA-1264. CVE-2007-0908 (php4 & php5, controllable stack leak) + +09 PHP wddx_deserialize() String Append Buffer Overflow Vulnerability +#N/A -> Only applies to a development version in CVS, not a shipped release, CVE-2007-1381. + +08 PHP 4 phpinfo() XSS Vulnerability (Deja-vu) +N/A -> phpinfo() is a debug function, not be exposed to applications (php4 4.4.3 through 4.4.6 only, phpinfo XSS) + +07 Zend Platform ini_modifier Local Root Vulnerability (B) +N/A -> Only affects the Zend platform + +06 Zend Platform Insecure File Permission Local Root Vulnerability +N/A -> Only affects the Zend platform + +05 PHP unserialize() 64 bit Array Creation Denial of Service Vulnerability +#Fixed in DSA-1264. CVE-2007-0988 (php4 & php5, limited-time 100% CPU DoS) + +03 PHP Variable Destructor Deep Recursion Stack Overflow +#N/A -> Applications need to impose sanity checks for maximum recursion, CVE-2007-1285 (php4 & php5, crash only) + +02 PHP Executor Deep Recursion Stack Overflow +#N/A -> Applications need to impose sanity checks for maximum recursion, CVE-2006-1549 (php4 & php5, crash only) + +01 PHP 4 Userland ZVAL Reference Counter Overflow Vulnerability +#N/A -> Only triggerable by malicious script, CVE-2007-1383 (php4 only, gain execute control) + + + + +(Comments starting with # indicate that information has been fed to the tracker) +(Comments starting with TOFIX indicate that a patch has been created or extracted) + + +# php4 checklist + + Sarge Etch +41 a a <- seperate source package php4-sqlite +35 T T +34 / t +32 T T +30 / / +26 a a +22 t t +10 T T <- seemed already fixed but this completes the patch +04 T T + +? = more info +x = fix needed +* = extracted +a = patch generated and commited to SVN +t = didn''t seem affected, but patch makes sense +T = code tested +/ = not affected + +# PHP5 checklist.... +MOPB Etch, Unstable Dapper, Edgy, Feisty, Gutsy PATCH +10 p p[3] T T T - * +14 X T T T T - * +15 i T T T - - * +16 p p - - - - +17 - - - - - - +18 X T - - - - +19 X T - - - - +22 X T T T T - * +23 X T[5] X X X - ? +24 i i T T T X * +26 X T T T T - * +29 - - - - T - * +30 - a[4] T T - - * +34 X a T T T - * +41 X T T T T - ![1] +42 X a T T - - * +44 X a - - - - +45 X T - - T - ![2] + +* = patch extracted from upstream +? = no upstream patch found +! = patch created + +X = fixed desired +a = patch applied +p = previously fixed +T = code tested +- = fix n/a +i = fix skipped + +[1] but the fix in php5 is not right, the call (not the SQLite API) needs + to be changed. For references, here is the upstream "fix": + http://cvs.php.net/viewvc.cgi/php-src/ext/sqlite/libsqlite/src/encode.c?r1=1.5.4.1&r2=1.5.4.1.2.1&pathrev=PHP_5_2 +[2] this needs a CVE assigned +[3] previously fixed, but the patch adds another check we should have too. +[4] could not reproduce this problem +[5] the first hunk of the patch for mopb 22 fixes this. + Copied: doc/historic/mops.txt (from rev 15916, data/mops.txt) ==================================================================--- doc/historic/mops.txt (rev 0) +++ doc/historic/mops.txt 2011-01-18 02:17:49 UTC (rev 15917) @@ -0,0 +1,64 @@ +Month of PHP security May 2010 status file + +001: CVE-2007-1581; Only triggerable by malicious script +002: External app not in Debian: Campsite +003: CVE-2010-1866; Should be fixed for Squeeze, doesn''t affect Lenny (5.3 only) +004: External app not in Debian: ClanSphere +005: External app not in Debian: ClanSphere +006: CVE-2010-1864; Only triggerable by malicious script +007: External app not in Debian: ClanTiger +008: CVE-2010-1862; Only triggerable by malicious script +009: CVE-2010-1861; Only triggerable by malicious script +010: CVE-2010-1860; Only triggerable by malicious script +011: External app not in Debian: DeluxeBB +012: CVE-2010-1868; Only triggerable by malicious script +013: CVE-2010-1868; Only triggerable by malicious script +014: CVE-2010-1914; Only triggerable by malicious script +015: CVE-2010-1914; Only triggerable by malicious script +016: CVE-2010-1914; Only triggerable by malicious script +017: CVE-2010-1915; Only triggerable by malicious script +018: External app not in Debian: EFront +019: CVE-2010-1916; Serendipity, doesn''t affect Lenny (1.4 onwards), pinged Thijs +020: CVE-2010-1916; External app; xinha, Just an ITP: #479708, there are embedders +021: CVE-2010-1917; PHP fnmatch() Stack Exhaustion Vulnerability +022: CVE-2010-2093; Only triggerable by malicious script +023: no CVE yet; Cacti, pinged Sean Finney +024: CVE-2010-2094; Doesn''t affect Lenny, extension is new enough not to have (code) users other than PEAR +025: CVE-2010-2094; Doesn''t affect Lenny, extension is new enough not to have (code) users other than PEAR +026: CVE-2010-2094; Doesn''t affect Lenny, extension is new enough not to have (code) users other than PEAR +027: CVE-2010-2094; Doesn''t affect Lenny, extension is new enough not to have (code) users other than PEAR +028: CVE-2010-2094; Doesn''t affect Lenny, extension is new enough not to have (code) users other than PEAR +029: External app not in Debian: CMSQLITE +030: External app not in Debian: CMSQLITE +031: External app not in Debian: e107 +032: CVE-2010-2097; Only triggerable by malicious script +033: CVE-2010-2097; Only triggerable by malicious script +034: CVE-2010-2097; Only triggerable by malicious script +035: External app not in Debian: e107 +036: CVE-2010-2100; Only triggerable by malicious script +037: CVE-2010-2100; Only triggerable by malicious script +038: CVE-2010-2100; Only triggerable by malicious script +039: CVE-2010-2100; Only triggerable by malicious script +040: CVE-2010-2100; Only triggerable by malicious script +041: CVE-2010-2101; Only triggerable by malicious script +042: CVE-2010-2101; Only triggerable by malicious script +043: CVE-2010-2101; Only triggerable by malicious script +044: CVE-2010-2101; Only triggerable by malicious script +045: CVE-2010-2101; Only triggerable by malicious script +046: CVE-2010-2101; Only triggerable by malicious script +047: CVE-2010-2190; Only triggerable by malicious script +048: CVE-2010-2190; Only triggerable by malicious script +049: CVE-2010-2191; Only triggerable by malicious script +050: CVE-2010-2191; Only triggerable by malicious script +051: CVE-2010-2191; Only triggerable by malicious script +052: CVE-2010-2191; Only triggerable by malicious script +053: CVE-2010-2191; Only triggerable by malicious script +054: CVE-2010-2191; Only triggerable by malicious script +055: CVE-2010-2191; Only triggerable by malicious script +056: CVE-2010-3062; Does not affect Lenny; unimportant, mysqlnd not used in squeeze/sid +057: CVE-2010-3062; Does not affect Lenny; unimportant, mysqlnd not used in squeeze/sid +058: CVE-2010-3063; Does not affect Lenny; unimportant, mysqlnd not used in squeeze/sid +059: CVE-2010-3064; Does not affect Lenny; unimportant, mysqlnd not used in squeeze/sid +060: CVE-2010-3065; Should be fixed in Lenny and unstable; low importance + + Copied: doc/historic/move_to_l.d.o (from rev 15916, doc/move_to_l.d.o) ==================================================================--- doc/historic/move_to_l.d.o (rev 0) +++ doc/historic/move_to_l.d.o 2011-01-18 02:17:49 UTC (rev 15917) @@ -0,0 +1,39 @@ +Hi, + +as the effort to offer security support for Debian Testing has become more +official than it was when it started in 2005, and to make it easier to find +this announcement list, we have decided to move this list from alioth to +lists.debian.org. The planned date for the switch is June 25th. + +For you this means: + +1. Subscribers of the old list will be migrated to the new list automatically. + +2. This list, secure-testing-announce at lists.alioth.debian.org will be renamed +to debian-testing-security-announce at lists.debian.org. Mails to you will come +from the new address. + +3. The mailinglist headers will change. If you filter for headers, please +adjust your setup accordingly. The new header will be: + +List-Id: <debian-testing-security-announce.lists.debian.org> + +4. The subject will no longer contain the prefix [SECURITY]. + +5. Mails will originate from a different server. If you had any special +configuration (like an exception from grey-listing) for the old server, change +this to: + + lists.debian.org a.k.a. liszt.debian.org + 82.195.75.100 + +6. For unsubscribe instructions, look at the footer of announcements mails sent +from the new list. + +7. The list archive will move to + + http://lists.debian.org/debian-testing-security-announce/ + + +If you experience any problems, don''t hesitate to contact us. + Copied: doc/historic/testing-security (from rev 15916, doc/testing-security) ==================================================================--- doc/historic/testing-security (rev 0) +++ doc/historic/testing-security 2011-01-18 02:17:49 UTC (rev 15917) @@ -0,0 +1,93 @@ +Providing security updates for Debian''s "testing" distribution. + + +Goals + +The initial goals of the Debian testing security team will be to: + + - Provide timely security updates for testing, with fixes being made + available no more than four days after a DSA is released. + - Work with maintainers to include security fixes from unstable + that do not have DSAs. + - Maintain a public database and statistics about the current state of + security in testing. + + +Existing infrastructure + +The main infrastructure we have that could be useful in preparing testing +security updates is the testing-proposed-updates queue. Thanks to the recent +work on the sarge release, t-p-u is functional for all (or almost all) +arches. + +There is also all the work of the security team, with DSAs, relationships +with upstream security sources, etc. + +There is the Debian BTS, which contains some but not all details about +security holes in Debian. Some security holes are not made public until a +DSA is released, and some are silently fixed in a new upstream release +uploaded to unstable. The BTS has some issues with keeping track of which +bugs apply to testing, though its developers have been working on solving +this problem for a while. + +We plan to take advantage of as much of the existing infrastructure as we +can, but we recognise that using some of it would require work from others +(ftp admins, security team, BTS admins), that we cannot require be done. We +plan to be able to function without needing these project resources, though +they could probably make the job easier. + + +Proposed infrastructure and processes + + + +This is how things will work for the first phase of the team''s activity. +Once the team is proven to work and there is demand, things can be better +integrated back into Debian. We hope that eventually our updates will be +available on security.debian.org the same as stable security updates. + +There will be an apt repository for testing security updates, similar to +security.debian.org. Uploads to this repository will be made only by +members of the testing security team, will be GPG signed in the usual way, +and will be accompanied a DTSA (Debian Testing Security Advisory), posted +to our web site, and to a mailing list. + +In the very early stages, this will only include security updates for the +i386 architecture. Security updates for other architectures will be added +after we work out an autobuilder system (hopefully by using Debian''s +existing t-p-u autobuilders). + +There will be an issue tracking system, which will be integrated with the +Debian BTS, so we can flag bugs as security issues for testing, and keep +track of when they are fixed in unstable, and in testing. + +All security updates will be built against the packages in testing, and +will be versioned to be an upgrade from the version of the package in +testing, and also as an upgrade from any unfixed version in unstable. Once +the security hole is fixed in unstable and reaches testing using normal +channels, the package can be removed from secure-testing.debian.net. + +Unlike security updates to package in stable, we will most often not +backport fixes to the versions of packages in testing. More often we will +simply take the fixed package from unstable, recompile it if necessary, and +qualify it for the testing distribution. This may involve upgrading to new +upstream releases, and so there''s a chance our updates will introduce new +bugs. We feel this is not as bad as unfixed security holes, and as a small +team with limited manpower, this is a useful shortcut. We will make sure +that out users realise that using our security updates can expose them to +upgrade bugs. + + +Team organisation + +The team will consist entirely of Debian developers. Unless a member of the +Debian security team joins the Debian testing security team, none of us +will have any privileged information about future security announcements. +So we will not be able to fix problems instantaneously, but we hope to get +all issues fixed within four days of the DSA, and most issues fixed +somewhat faster. Any Debian developer who has experience with security +issues is welcome to join the team. + +The current team members: + Joey Hess + <er, someone else please add your name here> Copied: doc/historic/tmp.txt (from rev 15916, tmp.txt) ==================================================================--- doc/historic/tmp.txt (rev 0) +++ doc/historic/tmp.txt 2011-01-18 02:17:49 UTC (rev 15917) @@ -0,0 +1,104 @@ +- Make sure the issue is tracked in the tracker +- Criteria for potential DSA: Typically used as root, typically used + on multiuser system, non-fringe, real world use case (i.e no debug, + no examples) +- This is the initial batch reported by Dmitry, but there might have + been followups? We should check this, I haven''t caught up with + mail backlog +- While some issues might not warrant a DSA for Etch, we should be + a little more aggressive on maintainters not following up for + Lenny and rather go for removal in such cases +- Since stable updates can be made by any DD we could also advertise + this on debian-devel to find a volunteer if the respective + maintainers are too busy +- I think we only need CVE IDs for issues fixed in a DSA or through + a point update, oss-security should be better than a CNA pool since + there''s a risk of collisions + + + +DSA: (Name in brackets if someone prepares a DSA) + Binary-package: qemu (0.9.1-5) (CVE-2008-4553) (white) + + +SPU: + Binary-package: ibackup (2.27-4.1) (CVE-2008-4475) + Binary-package: sympa (5.3.4-5) (CVE-2008-4476) + Binary-package: freeradius-dialupadmin (2.0.4+dfsg-4) (CVE-2008-4474) + Binary-package: fwbuilder (2.1.19-3) (CVE requested) + Binary-package: aegis-web (4.24-3) (CVE requested) + Binary-package: rancid-util (2.3.2~a8-1) (CVE requested) + Binary-package: fml (4.0.3.dfsg-2) (CVE requested) + Binary-package: gdrae (0.1-1) (CVE requested) + Binary-package: cdrw-taper (0.4-2) + Binary-package: digitaldj (0.7.5-6+b1) + Binary-package: xastir (1.9.2-1) + Binary-package: aview (1.3.0rc1-8) + Binary-package: xcal (4.1-18.3) + Binary-package: mgt (2.31-5) + Binary-package: sng (1.0.2-5) + Binary-package: cdcontrol (1.90-1.1) + Binary-package: apertium (3.0.7+1-1+b1) + Binary-package: rccp (0.9-2) + Binary-package: xmcd (2.6-19.3) + Binary-package: xsabre (0.2.4b-23) (CVE-2008-4407) + Binary-package: realtimebattle-common (1.0.8-2) + Binary-package: cman (2.20080629-1) + Binary-package: wims (3.62-13) + Binary-package: konwert-filters (1.8-11.1) + Binary-package: crossfire-maps (1.11.0-1) + Binary-package: sgml2x (1.0.0-11.1) + Binary-package: xen-utils-3.2-1 (3.2.1-2) + Binary-package: myspell-tools (1:3.1-20) + Binary-package: emacs-jabber (0.7.91-1) + Binary-package: audiolink (0.05-1) + Binary-package: impose+ (0.2-11) + Binary-package: emacspeak (26.0-3) (CVE-2008-4191) + Binary-package: netmrg (0.20-1) + Binary-package: r-base-core (2.7.1-1) (CVE-2008-3931) + Binary-package: dist (1:3.5-17-1) + Binary-package: gpsdrive-scripts (2.10~pre4-3) + Binary-package: rkhunter (1.3.2-3) + Binary-package: mgetty-fax (1.1.36-1.2) + +Non-issues (not exploitable, only examples or very exotic use cases, +e.g. only exploitable when debugging a certain option, not present +in Etch or only exploitable during package build time): + Binary-package: ogle-mmx (0.9.2-5.2) + Binary-package: ogle (0.9.2-5.2) + Binary-package: openoffice.org-common (1:2.4.1-6) + Binary-package: postfix (2.5.2-2) + Binary-package: tiger (1:3.2.2-3.1) + Binary-package: linuxtrade (3.65-8+b4) + Binary-package: arb-common (0.0.20071207.1-4) + Binary-package: scratchbox2 (1.99.0.24-1) + Binary-package: linux-patch-openswan (1:2.4.12+dfsg-1.1) + Binary-package: firehol (1.256-4) + Binary-package: mafft (6.240-1) + Binary-package: liguidsoap (0.3.6-4) + Binary-package: ampache (3.4.1-1) + Binary-package: scilab-bin (4.1.2-5) + Binary-package: bk2site (1:1.1.9-3.1) + Binary-package: freevo (1.8.1-0) + Binary-package: dpkg-cross (2.3.0) + Binary-package: initramfs-tools (0.92f) + Binary-package: datafreedom-perl (0.1.7-1) + Binary-package: printfilters-ppd (2.13-9) + Binary-package: sendmail-base (8.14.3-5) + Binary-package: gccxml (0.9.0+cvs20080525-1) + Binary-package: aegis (4.24-3) + + + + + + + + + + + + + + + Deleted: doc/lenny_release ==================================================================--- doc/lenny_release 2011-01-18 02:17:42 UTC (rev 15916) +++ doc/lenny_release 2011-01-18 02:17:49 UTC (rev 15917) @@ -1,35 +0,0 @@ -Subject: Temporary suspension of testing security support after release of 5.0 (lenny) - -Due to the experiences we made after the last stable Debian release, the -Testing Security Team believes that it will be impossible to provide proper -security support for the new testing (Debian "squeeze") in the weeks following -the release of Debian 5.0 (lenny). Therefore we will temporarily suspend -security support for Debian testing after the release. - -If you need security support, we strongly recommend that you now change your apt -sources.list entries to point to "lenny" instead of "testing". This way you -will automatically stay with "lenny" after its release as stable and will -receive the normal security support for Debian stable. After the begin of -security support for Debian "squeeze" is announced, you may safely upgrade to -testing again. - - -There are two reasons for this suspension: - -After a stable release it will take some time to get the security related buildd -infrastructure for the new testing in place. Since many people will be busy -celebrating the release, we don''t know how long this will take ;-) - -In addition to that, we expect that shortly after the release a new libc -version will be uploaded to unstable, which will block most packages from -migrating from unstable to testing. This means that no security fixes will -reach testing from unstable. Since the Testing Security Team does not have -enough members to backport all security fixes to testing, it will be impossible -to provide proper security support. After the last stable release (etch) it -took nearly two months until the new glibc reached testing. - -On the other hand, libc blocking most packages from migrating to testing also -means that the difference between stable and testing will not grow quickly in -the weeks after lenny release. Therefore staying with stable should be an -acceptable solution for most users during that time. If you absolutely need -newer packages, you may also consider using unstable instead of testing. Deleted: doc/move_to_l.d.o ==================================================================--- doc/move_to_l.d.o 2011-01-18 02:17:42 UTC (rev 15916) +++ doc/move_to_l.d.o 2011-01-18 02:17:49 UTC (rev 15917) @@ -1,39 +0,0 @@ -Hi, - -as the effort to offer security support for Debian Testing has become more -official than it was when it started in 2005, and to make it easier to find -this announcement list, we have decided to move this list from alioth to -lists.debian.org. The planned date for the switch is June 25th. - -For you this means: - -1. Subscribers of the old list will be migrated to the new list automatically. - -2. This list, secure-testing-announce at lists.alioth.debian.org will be renamed -to debian-testing-security-announce at lists.debian.org. Mails to you will come -from the new address. - -3. The mailinglist headers will change. If you filter for headers, please -adjust your setup accordingly. The new header will be: - -List-Id: <debian-testing-security-announce.lists.debian.org> - -4. The subject will no longer contain the prefix [SECURITY]. - -5. Mails will originate from a different server. If you had any special -configuration (like an exception from grey-listing) for the old server, change -this to: - - lists.debian.org a.k.a. liszt.debian.org - 82.195.75.100 - -6. For unsubscribe instructions, look at the footer of announcements mails sent -from the new list. - -7. The list archive will move to - - http://lists.debian.org/debian-testing-security-announce/ - - -If you experience any problems, don''t hesitate to contact us. - Deleted: doc/testing-security ==================================================================--- doc/testing-security 2011-01-18 02:17:42 UTC (rev 15916) +++ doc/testing-security 2011-01-18 02:17:49 UTC (rev 15917) @@ -1,93 +0,0 @@ -Providing security updates for Debian''s "testing" distribution. - - -Goals - -The initial goals of the Debian testing security team will be to: - - - Provide timely security updates for testing, with fixes being made - available no more than four days after a DSA is released. - - Work with maintainers to include security fixes from unstable - that do not have DSAs. - - Maintain a public database and statistics about the current state of - security in testing. - - -Existing infrastructure - -The main infrastructure we have that could be useful in preparing testing -security updates is the testing-proposed-updates queue. Thanks to the recent -work on the sarge release, t-p-u is functional for all (or almost all) -arches. - -There is also all the work of the security team, with DSAs, relationships -with upstream security sources, etc. - -There is the Debian BTS, which contains some but not all details about -security holes in Debian. Some security holes are not made public until a -DSA is released, and some are silently fixed in a new upstream release -uploaded to unstable. The BTS has some issues with keeping track of which -bugs apply to testing, though its developers have been working on solving -this problem for a while. - -We plan to take advantage of as much of the existing infrastructure as we -can, but we recognise that using some of it would require work from others -(ftp admins, security team, BTS admins), that we cannot require be done. We -plan to be able to function without needing these project resources, though -they could probably make the job easier. - - -Proposed infrastructure and processes - - - -This is how things will work for the first phase of the team''s activity. -Once the team is proven to work and there is demand, things can be better -integrated back into Debian. We hope that eventually our updates will be -available on security.debian.org the same as stable security updates. - -There will be an apt repository for testing security updates, similar to -security.debian.org. Uploads to this repository will be made only by -members of the testing security team, will be GPG signed in the usual way, -and will be accompanied a DTSA (Debian Testing Security Advisory), posted -to our web site, and to a mailing list. - -In the very early stages, this will only include security updates for the -i386 architecture. Security updates for other architectures will be added -after we work out an autobuilder system (hopefully by using Debian''s -existing t-p-u autobuilders). - -There will be an issue tracking system, which will be integrated with the -Debian BTS, so we can flag bugs as security issues for testing, and keep -track of when they are fixed in unstable, and in testing. - -All security updates will be built against the packages in testing, and -will be versioned to be an upgrade from the version of the package in -testing, and also as an upgrade from any unfixed version in unstable. Once -the security hole is fixed in unstable and reaches testing using normal -channels, the package can be removed from secure-testing.debian.net. - -Unlike security updates to package in stable, we will most often not -backport fixes to the versions of packages in testing. More often we will -simply take the fixed package from unstable, recompile it if necessary, and -qualify it for the testing distribution. This may involve upgrading to new -upstream releases, and so there''s a chance our updates will introduce new -bugs. We feel this is not as bad as unfixed security holes, and as a small -team with limited manpower, this is a useful shortcut. We will make sure -that out users realise that using our security updates can expose them to -upgrade bugs. - - -Team organisation - -The team will consist entirely of Debian developers. Unless a member of the -Debian security team joins the Debian testing security team, none of us -will have any privileged information about future security announcements. -So we will not be able to fix problems instantaneously, but we hope to get -all issues fixed within four days of the DSA, and most issues fixed -somewhat faster. Any Debian developer who has experience with security -issues is welcome to join the team. - -The current team members: - Joey Hess - <er, someone else please add your name here> Deleted: tmp.txt ==================================================================--- tmp.txt 2011-01-18 02:17:42 UTC (rev 15916) +++ tmp.txt 2011-01-18 02:17:49 UTC (rev 15917) @@ -1,104 +0,0 @@ -- Make sure the issue is tracked in the tracker -- Criteria for potential DSA: Typically used as root, typically used - on multiuser system, non-fringe, real world use case (i.e no debug, - no examples) -- This is the initial batch reported by Dmitry, but there might have - been followups? We should check this, I haven''t caught up with - mail backlog -- While some issues might not warrant a DSA for Etch, we should be - a little more aggressive on maintainters not following up for - Lenny and rather go for removal in such cases -- Since stable updates can be made by any DD we could also advertise - this on debian-devel to find a volunteer if the respective - maintainers are too busy -- I think we only need CVE IDs for issues fixed in a DSA or through - a point update, oss-security should be better than a CNA pool since - there''s a risk of collisions - - - -DSA: (Name in brackets if someone prepares a DSA) - Binary-package: qemu (0.9.1-5) (CVE-2008-4553) (white) - - -SPU: - Binary-package: ibackup (2.27-4.1) (CVE-2008-4475) - Binary-package: sympa (5.3.4-5) (CVE-2008-4476) - Binary-package: freeradius-dialupadmin (2.0.4+dfsg-4) (CVE-2008-4474) - Binary-package: fwbuilder (2.1.19-3) (CVE requested) - Binary-package: aegis-web (4.24-3) (CVE requested) - Binary-package: rancid-util (2.3.2~a8-1) (CVE requested) - Binary-package: fml (4.0.3.dfsg-2) (CVE requested) - Binary-package: gdrae (0.1-1) (CVE requested) - Binary-package: cdrw-taper (0.4-2) - Binary-package: digitaldj (0.7.5-6+b1) - Binary-package: xastir (1.9.2-1) - Binary-package: aview (1.3.0rc1-8) - Binary-package: xcal (4.1-18.3) - Binary-package: mgt (2.31-5) - Binary-package: sng (1.0.2-5) - Binary-package: cdcontrol (1.90-1.1) - Binary-package: apertium (3.0.7+1-1+b1) - Binary-package: rccp (0.9-2) - Binary-package: xmcd (2.6-19.3) - Binary-package: xsabre (0.2.4b-23) (CVE-2008-4407) - Binary-package: realtimebattle-common (1.0.8-2) - Binary-package: cman (2.20080629-1) - Binary-package: wims (3.62-13) - Binary-package: konwert-filters (1.8-11.1) - Binary-package: crossfire-maps (1.11.0-1) - Binary-package: sgml2x (1.0.0-11.1) - Binary-package: xen-utils-3.2-1 (3.2.1-2) - Binary-package: myspell-tools (1:3.1-20) - Binary-package: emacs-jabber (0.7.91-1) - Binary-package: audiolink (0.05-1) - Binary-package: impose+ (0.2-11) - Binary-package: emacspeak (26.0-3) (CVE-2008-4191) - Binary-package: netmrg (0.20-1) - Binary-package: r-base-core (2.7.1-1) (CVE-2008-3931) - Binary-package: dist (1:3.5-17-1) - Binary-package: gpsdrive-scripts (2.10~pre4-3) - Binary-package: rkhunter (1.3.2-3) - Binary-package: mgetty-fax (1.1.36-1.2) - -Non-issues (not exploitable, only examples or very exotic use cases, -e.g. only exploitable when debugging a certain option, not present -in Etch or only exploitable during package build time): - Binary-package: ogle-mmx (0.9.2-5.2) - Binary-package: ogle (0.9.2-5.2) - Binary-package: openoffice.org-common (1:2.4.1-6) - Binary-package: postfix (2.5.2-2) - Binary-package: tiger (1:3.2.2-3.1) - Binary-package: linuxtrade (3.65-8+b4) - Binary-package: arb-common (0.0.20071207.1-4) - Binary-package: scratchbox2 (1.99.0.24-1) - Binary-package: linux-patch-openswan (1:2.4.12+dfsg-1.1) - Binary-package: firehol (1.256-4) - Binary-package: mafft (6.240-1) - Binary-package: liguidsoap (0.3.6-4) - Binary-package: ampache (3.4.1-1) - Binary-package: scilab-bin (4.1.2-5) - Binary-package: bk2site (1:1.1.9-3.1) - Binary-package: freevo (1.8.1-0) - Binary-package: dpkg-cross (2.3.0) - Binary-package: initramfs-tools (0.92f) - Binary-package: datafreedom-perl (0.1.7-1) - Binary-package: printfilters-ppd (2.13-9) - Binary-package: sendmail-base (8.14.3-5) - Binary-package: gccxml (0.9.0+cvs20080525-1) - Binary-package: aegis (4.24-3) - - - - - - - - - - - - - - -