From Fedora Project Wiki

(Added FST logo)
(Moved text to the work flow page. Commented out CVE information.)
Line 28: Line 28:
We help package maintainers follow up with upstream developers to obtain a patch or a new release which fixes the issue. Once such patch or a new release is available, the package maintainer then builds a new version of the package and submits an update to the Fedora or EPEL repositories via [https://admin.fedoraproject.org/updates/ Bodhi].
We help package maintainers follow up with upstream developers to obtain a patch or a new release which fixes the issue. Once such patch or a new release is available, the package maintainer then builds a new version of the package and submits an update to the Fedora or EPEL repositories via [https://admin.fedoraproject.org/updates/ Bodhi].


<!--
=== [https://cve.mitre.org/ CVEs] ===
=== [https://cve.mitre.org/ CVEs] ===


Line 34: Line 35:
For each assigned CVE two bugs are created: one is the parent bug which describes the issue in human understandable details and lists available fixes and a second is the child bug which is used to track progression of these fixes into individual products(Fedora, Fedora-EPEL etc.). The parent bug is a generic one; it is opened against '''Component: vulnerability'''. Child bugs are specific; they are opened against '''Component: <package-name>''' of an individual product and are marked with '''keywords: SecurityTracking'''.
For each assigned CVE two bugs are created: one is the parent bug which describes the issue in human understandable details and lists available fixes and a second is the child bug which is used to track progression of these fixes into individual products(Fedora, Fedora-EPEL etc.). The parent bug is a generic one; it is opened against '''Component: vulnerability'''. Child bugs are specific; they are opened against '''Component: <package-name>''' of an individual product and are marked with '''keywords: SecurityTracking'''.


-->
== How to get involved ==
== How to get involved ==
=== Joining the team ===
=== Joining the team ===
Line 40: Line 42:
# subscribe to the {{fplist|security-team}} mailing list
# subscribe to the {{fplist|security-team}} mailing list
# join us on the {{fpchat|#fedora-security-team}} IRC channel
# join us on the {{fpchat|#fedora-security-team}} IRC channel
# read the [[Security_Team#Work_Flow|work flow]]
# read the [[Security_Team_Work_Flow|work flow]]


Once you feel comfortable just jump in and start helping. If you have questions please ask on IRC or on the mailing list.
Once you feel comfortable just jump in and start helping. If you have questions please ask on IRC or on the mailing list.


Also, please take a look at the proposed [[Security Team Apprenticeship]] program as this may help answer additional questions.
Also, please take a look at the proposed [[Security Team Apprenticeship]] program as this may help answer additional questions.
=== Work Flow ===
{{:Security_Team_Work_Flow}}
=== Bug Ownership ===
Each tracking bug should have an owner for several reasons. It would certainly be inefficient if the work was done twice. Collisions and misunderstandings might occur if two people tried to coordinate a fix with an upstream developer independently. For these reasons, we should indicate the fact that we are working on the tracking bug by filling the Whiteboard of the bug with Bugzilla user name of the owner:
    Whiteboard: fst_owner=<owner>,[<owner2>,<owner3>]
As <owner> FAS ID should be used; It simplifies further management. For the list of Bugzilla user names of the Fedora Security Team see the [[Security Team Roster]].
'''Note: For multiple FST owners FAS IDs should be comma-separated and NOT contain spaces.'''
== Bugzilla Links ==
* '''Open issues'''
** [https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2661454&priority=urgent&query_format=advanced Critical Vulnerabilities] [https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&f1=priority&f2=bug_severity&j_top=OR&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=4282241&o1=substring&o2=substring&query_format=advanced&status_whiteboard=fst_owner%3D&status_whiteboard_type=notregexp&v1=urgent&v2=urgent Unowned]
** [https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2661457&priority=high&query_format=advanced Important Vulnerabilities] [https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&f1=priority&f2=bug_severity&j_top=OR&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=4282241&o1=substring&o2=substring&query_format=advanced&status_whiteboard=fst_owner%3D&status_whiteboard_type=notregexp&v1=high&v2=high Unowned]
** [https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2661461&priority=medium&query_format=advanced Moderate Vulnerabilities] [https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&f1=priority&f2=bug_severity&j_top=OR&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=4282241&o1=substring&o2=substring&query_format=advanced&status_whiteboard=fst_owner%3D&status_whiteboard_type=notregexp&v1=medium&v2=medium Unowned]
** [https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2661462&priority=low&query_format=advanced Low Vulnerabilities] [https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&f1=priority&f2=bug_severity&j_top=OR&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=4282241&o1=substring&o2=substring&query_format=advanced&status_whiteboard=fst_owner%3D&status_whiteboard_type=notregexp&v1=low&v2=low Unowned]
** [https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2661465&priority=unspecified&query_format=advanced Unknown Vulnerabilities] [https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&f1=priority&f2=bug_severity&j_top=OR&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=4282241&o1=substring&o2=substring&query_format=advanced&status_whiteboard=fst_owner%3D&status_whiteboard_type=notregexp&v1=unspecified&v2=unspecified Unowned]
** [https://bugzilla.redhat.com/buglist.cgi?bug_status=POST&bug_status=MODIFIED&bug_status=ON_DEV&bug_status=ON_QA&classification=Fedora&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2719448&priority=unspecified&priority=urgent&priority=high&priority=medium&priority=low&query_format=advanced Bugs in MODIFIED, ON_DEV, ON_QA states] [https://bugzilla.redhat.com/buglist.cgi?bug_status=POST&bug_status=MODIFIED&bug_status=ON_DEV&bug_status=ON_QA&classification=Fedora&f1=status_whiteboard&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2719448&o1=notsubstring&priority=unspecified&priority=urgent&priority=high&priority=medium&priority=low&query_format=advanced&v1=fst_owner%3D Unowned]
== Tools/Resources ==
* [http://rootkit.nl/projects/lynis.html lynis]
* [http://www.trapkit.de/tools/checksec.html checksec]
* [https://docs.fedoraproject.org/en-US/Fedora_Security_Team/html/Defensive_Coding/index.html Defensive coding]
* [https://fedorahosted.org/scap-security-guide/ SCAP Security Guide]
* [http://people.redhat.com/sgrubb/security/ Security Assessment Tools/Scripts]
* [https://fedoraproject.org/wiki/Policy_for_nonresponsive_package_maintainers Nonresponsive Package Maintainers Policy]


{{:Security Team Hall of Fame}}
{{:Security Team Hall of Fame}}


[[Category:Security]]
[[Category:Security]]

Revision as of 16:43, 19 August 2016

Fedora Security Team logo

Mission

To provide the utmost secure operating environment to Fedora and EPEL users by:

  • working with packagers to patch and update packages,
  • identifying and helping to improve secure development practices,
  • answering software security questions from the community.

Contact

If you need help or assistance with any issue, please feel free to contact the FST members at

Security Response

To report a vulnerability in software please follow the procedure outlined on the Security Bugs page.

To report a security concern within the Fedora Project please email security at fedoraproject dot org.

What we do

Fedora Security Team aims to ensure that users are protected from vulnerabilities that exist in Fedora packages. Vulnerabilities are reported to Fedora package maintainers via Bugzilla by Red Hat Product Security. These bugs are marked with keywords: SecurityTracking attribute in Bugzilla, for ex. => CVE-2013-0333 rubygem-activesupport: json to yaml parsing. The SecurityTracking keyword indicates that the bug could have security implications which need to be investigated.

We help package maintainers follow up with upstream developers to obtain a patch or a new release which fixes the issue. Once such patch or a new release is available, the package maintainer then builds a new version of the package and submits an update to the Fedora or EPEL repositories via Bodhi.

How to get involved

Joining the team

Joining the Fedora Security Team is an easy, three-step process:

  1. subscribe to the security-team mailing list
  2. join us on the #fedora-security-team[?] IRC channel
  3. read the work flow

Once you feel comfortable just jump in and start helping. If you have questions please ask on IRC or on the mailing list.

Also, please take a look at the proposed Security Team Apprenticeship program as this may help answer additional questions.

Retrieved from "https://fedoraproject.org/w/index.php?title=Security_Team&oldid=468531"