[Techtalk] Handling security issues when you are upstream

Telsa Gwynne hobbit at aloss.ukuu.org.uk
Mon Oct 10 22:45:00 EST 2005 

On Sat, Oct 08, 2005 at 11:56:21AM +1000 or thereabouts, Mary wrote:
> Anyone know of the current correct procedure for notifying vendors of a
> security hole and a fix when you *are* upstream for the fix? I know from
> blogs that vendors, particularly Linux distros, got Very Very Angry with
> Mozilla recently for not helping them coordinate a release of fixed
> packages at the same time as mozilla.org itself had a fixed version.

I asked my husband about this, since he works for a vendor, and gets
security stuff about the kernel, and is (I find now!) on a mailing
list that's part of the answer. The following is with his vendor-sec 
hat on.

>  2. is there any central place to report to vendors or do you have to

For Linux distros and most BSDs, there is vendor-sec at lst.de. This
is a closed mailing list which has representatives from most distros
on it. Sending things there will get them to most distros. If you mail, 
someone from it should respond to you. They may give your bug a CAN 
identifier (a unique identifier for a security bug) if it doesn't 
already have one. vendor-sec is a non-disclosure list. It will not 
publish stuff beyond vendor-sec until you are happy. 

If you have a vulnerability and fix in a much more widely-used
package (typically a library), then CERT (cert at cert.org) is the 
place to go in addition. Alan says you must give CERT a date on 
which you are going to publish details "or they may keep asking 
you to delay, and to delay, and to delay". (This is something he
doesn't like.)

>  3. how do all the vendors get back in touch with you? how long is it
>     right to delay the announcement for while Joe Bob's Linux is trying to
>     do a new package?

"Depends on the bug and particularly on whether you have a fix
ready for them." Vendors may want at least a fortnight, especially
when they have to backport your fix to the other versions they 
still have to support. 
 
>  4. where do you send public announcements of bugs?

Linux Weekly News monitors security and is widely-read. Vendor-sec
may have advice on this and also on when to announce it -- experience
has apparently taught that public holidays are a bad time to expect 
everyone to notice and to upgrade. Ditto for weekends. 

Telsa

More information about the Techtalk mailing list