[Techtalk] Handling security issues when you are upstream

Devdas Bhagat devdas at dvb.homelinux.org
Sat Oct 8 15:17:39 EST 2005 

On 08/10/05 11:56 +1000, Mary wrote:
> Hi everyone,
> 
> Anyone know of the current correct procedure for notifying vendors of a
> security hole and a fix when you *are* upstream for the fix? I know from
> blogs that vendors, particularly Linux distros, got Very Very Angry with
> Mozilla recently for not helping them coordinate a release of fixed
> packages at the same time as mozilla.org itself had a fixed version.
> 
Most vendors have a security team email contact. This is the preferred
way for getting in touch about security vulnerabilities, rather than
regular bugs.

RedHat:
secalert (at) redhat.com

Debian:
security (at) debian.org
http://www.debian.org/security/

Gentoo:
security (at) gentoo.org /
koon (at) gentoo.org/jaervosz (at) gentoo.org/Gentoo bugzilla.
http://security.gentoo.org/

SuSE:
security (at) suse.com/security (at) suse.de

Fedoralegacy:
secnotice (at) fedoralegacy.org

Mandrake:
security (at) mandriva.com

Ubuntu does not look like it has a formal security contact address.
Your could try contact martin.pitt (at) canonical.com for instructions.
He sends and signs the USN notices to full-disclosure.

Slackware:
security (at) slackware.com

You might want to contact the security teams for *BSD as well, or the
maintainer of the port (if the package is not in base).

<snip>
>  1. which database do you report to? where are the forms for upstreams
>     to use (most of the forms seem to be for third parties, they have a lot
>     of questions about "when did you notify upstream and what did they say?"
> 
Just sending an email should work.

>  2. is there any central place to report to vendors or do you have to
>     personally visit the bug tracker of every one of the possibly hundreds
>     of distros (Linux and other) releasing packages and wait for them
>     all to reply etc etc?
> 
You could talk to SANS, or equivalent local CERT. They have the role of
coordinating with other vendors.

>  3. how do all the vendors get back in touch with you? how long is it
>     right to delay the announcement for while Joe Bob's Linux is trying to
>     do a new package?
> 
http://www.wiretrip.net/rfp/policy.html has useful suggestions.

>  4. where do you send public announcements of bugs?
Minimally, the full-disclosure and bugtraq mailing lists.

Devdas Bhagat

More information about the Techtalk mailing list