Secure testing team - May 2009 - regarding issue checking, all new members read this

Hi,
it has come to my attention that there seems to be a common 
misunderstanding on how we check new issues popping up.

The most recent example of this is the handling of 
CVE-2008-6792. I really don''t want to blame anyone as this 
seems to be a misunderstanding, so don''t get this mail 
wrong.

If you commit to the security tracker and triaged a security 
issue, make sure that your commit data is not based on the 
CVE id description but on _research_.

This research includes reading the code, finding 
fixes/commits in the upstream repository or even write 
patches yourself if you have the time to do that. If you 
can''t assure that please add a TODO entry reflecting what is 
missing from your research.

This is absolutely necessary to prevent integrating 
false-positives or otherwise incorrect data in the security 
tracker. People and especially the stable security team 
losely bases (depending on the versions  used in the 
distribution) its decisions regarding stable security 
updates on this data and a lot people require this data to 
be correct (e.g. debsecan).

This also means that if the CVE id says that something is 
vulnerable prior to version X you need to check if that is 
the case as well as for the information given on 
distro-specific issues. Always make sure you understand the 
issue and are able to verify the information is correct.

While mitre tries to do their best on the issues there is 
often something fishy with the descriptions, missing 
references etc. If you are aware of an error, please also 
contact mitre (or even better, write a mail to oss-sec).

I know this is a lot more work but this is necessary to make
sure we are not getting replaced by a small shell script.

Thanks for your attention! ;-P


Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL:
<http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090509/14e32f01/attachment.pgp>

Nico Golde ha scritto:
> The most recent example of this is the handling of 
> CVE-2008-6792. I really don''t want to blame anyone as this 
I apologize. I was deceived by the CVE id description, and by the fact that
Ubuntu people unaccountably fixed that issue only in Intrepid release.
I''ve convinced myself that it was "only" an Ubuntu specific
issue, but I was
wrong...


Giuseppe.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090509/d6953bda/attachment.pgp>

Hi,
* Giuseppe Iuculano <giuseppe at iuculano.it> [2009-05-09
21:22]:
> Nico Golde ha scritto:
> > The most recent example of this is the handling of 
> > CVE-2008-6792. I really don''t want to blame anyone as this 
> 
> I apologize. I was deceived by the CVE id description, and by the fact that
> Ubuntu people unaccountably fixed that issue only in Intrepid release.
> I''ve convinced myself that it was "only" an Ubuntu
specific issue, but I was
> wrong...
No problem, as said I didn''t want to blame anyone, mistakes 
happen and recently there were a few in this category. We 
are thankful for every work you''ve done!

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL:
<http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090509/584879b3/attachment.pgp>