Addressing Security flaws in packages is important to any distribution and Fedora is no exception. Large number of packages and multiple packages per maintainer adds to the overall problem. This document describes steps which Fedora Package Maintainers can take to resolve security bugs open against their packages.
Fedora Security flaws
Fedora Security bugs are filed by the Red Hat Product Security Team. They are often referred to as fedora trackers, since they do not contain any actual flaw information, rather they product bugs, which allow maintainers to link to their commits and bodhi updates. For example consider bug 1455050, this is a fedora tracker which links to the actual security bug.
All information including description of the flaw, possible patches, upstream bug links and public reproducers if any, are available in the security bug. Fedora security trackers can be recognized by the presence of the keywords "Security, SecurityTracking" in the bug and link to the security flaw in the "Blocks" field. The priority and the severity fields are set according to the security impact of the flaw.
Resolving Fedora Security flaws
Though the Red Hat Product Security Team puts a lot of efforts in determining if the corresponding Fedora packages are affected, it is quite possible that the flaw may need a little more analysis by the package maintainer. Some assumptions which are applicable for Red Hat products may not be true for Fedora, therefore the actual impact may be different for Fedora or in some cases have no impact at all.
The purpose of resolving Fedora Security flaws is to:
* Patch the package: For flaws which are fixed by upstream, the Security flaw linked to the Fedora tracker should have a link to the patch or the actual patch attached in the bug. If new versions of the package are available which fix this issue, details should be available on the Red Hat Security flaw or upstream website. In most cases Fedora Package Maintainers choose to rebase because it brings in new features and bug fixes also. Normal package update process is followed and a bodhi security update linked to the Fedora tracker bug should be used. Once the update reaches stabled, the bug is automatically closed with the resolution CLOSED:ERRATA
In cases where the Fedora release is close to EOL, maintainers often chose to apply the patch or rebase to the next available Fedora version, this should be acceptable in most cases, but the tracker bug should be closed with correct comments and resolution. (perhaps CLOSED:NEXTRELEASE)
* Wontfix the Fedora tracker: Many times security fixes are not available upstream and patches which fix the issue may be non-trivial to write. Depending on the impact of the security flaw and the important of the component, such flaws can possibly be closed as WONTFIX. A lot of times it is seen that in future upstream may address these issues all at the same time, and a rebase may solve the issue. For example:
- A low impact flaw in a package like glibc should not be closed as WONTFIX
- A moderate impact flaw in a game could be closed as WONTFIX if no fix is available upstream.
In most cases package maintainer discretion is advised. If you have a doubt please ask the Fedora security team or comment on the Fedora Security tracker.
Other measures for ensuring that security flaws are fixed
Some other measures which are planned to be taken are as follows:
- Remove packages which has a consistent bad security record from the distribution.
- Send nag emails to fedora-devel list every week, asking maintainers to fix their packages.
References
Some previous documentation i found, which may still be relevant: https://fedoraproject.org/wiki/Security_Bugs https://fedoraproject.org/wiki/Security_Tracking_Bugs