Addressing Security flaws in packages is important to any distribution and Fedora is no exception. Large number of packages and multiple packages per maintainer adds to the overall problem. This document describes steps which Fedora Package Maintainers can take to resolve security bugs open against their packages.
Fedora Security flaws
Fedora Security bugs are filed by the Red Hat Product Security Team. They are often referred to as fedora trackers, since they do not contain any actual flaw information, rather they product bugs, which allow maintainers to link to their commits and bodhi updates. For example consider bug 1455050, this is a fedora tracker which links to the actual security bug.
All information including description of the flaw, possible patches, upstream bug links and public reproducers if any, are available in the security bug. Fedora security trackers can be recognized by the presence of the keywords "Security, SecurityTracking" in the bug and link to the security flaw in the "Blocks" field. The priority and the severity fields are set according to the security impact of the flaw.
Resolving Fedora Security flaws
Though the Red Hat Product Security Team puts a lot of efforts in determining if the corresponding Fedora packages are affected, it is quite possible that the flaw may need a little more analysis by the package maintainer. Some assumptions which are applicable for Red Hat products may not be true for Fedora, therefore the actual impact may be different for Fedora or in some cases have no impact at all.
The purpose of resolving Fedora Security flaws is to:
- Patch the package