From Fedora Project Wiki

(Moved text to the work flow page. Commented out CVE information.)
(Redirecting page to category page)
 
Line 1: Line 1:
[[File:Fedora_Security_Team.png|200px|right|Fedora Security Team logo]]
#REDIRECT [[Category:Security_Team]]
 
== Mission ==
{{:Security_Team_Mission}}
 
== Contact ==
 
If you need help or assistance with any issue, please feel free to contact the FST members at
 
* '''IRC''':
** {{fpchat|#fedora-security}} - general security questions
** {{fpchat|#fedora-security-team}} - Security Team IRC channel for working vulnerabilities
* '''Mailing lists''':
** {{fplist|security}} - General security mailing list (good for questions)
** {{fplist|security-team}} - Security Team mailing list
* '''Weekly meetings''':
** Every Thursday at 14:00 UTC. -> [[Security_Team_meetings|Schedule and Agenda]]
 
=== Security Response ===
 
To '''report a vulnerability''' in software please follow the procedure outlined on the [[Security Bugs]] page.
 
To '''report a security concern''' within the Fedora Project please email security at fedoraproject dot org.
 
== What we do ==
Fedora Security Team aims to ensure that users are protected from vulnerabilities that exist in Fedora packages. Vulnerabilities are reported to Fedora package maintainers via [https://bugzilla.redhat.com/ Bugzilla] by Red Hat Product Security.  These bugs are marked with '''keywords: SecurityTracking''' attribute in Bugzilla, for ex. => [https://bugzilla.redhat.com/show_bug.cgi?id=905374 CVE-2013-0333 rubygem-activesupport: json to yaml parsing]. The '''SecurityTracking''' keyword indicates that the bug could have security implications which need to be investigated.
 
We help package maintainers follow up with upstream developers to obtain a patch or a new release which fixes the issue. Once such patch or a new release is available, the package maintainer then builds a new version of the package and submits an update to the Fedora or EPEL repositories via [https://admin.fedoraproject.org/updates/ Bodhi].
 
<!--
=== [https://cve.mitre.org/ CVEs] ===
 
CVE stands for '''Common Vulnerabilities and Exposures''' and is the global standard for uniquely identifying and tracking software security vulnerabilities. Each vulnerability in any package has a unique CVE ID assigned to it. If it is a new security issue, we need to [http://www.openwall.com/lists/oss-security/2014/09/07/1 request] a CVE ID for it from the [http://www.openwall.com/lists/oss-security/ oss-security] mailing list. Alternatively, we may also request CVEs from Red Hat via secalert@redhat.com. CVE ID are allocated by the [http://www.mitre.org/about/corporate-overview MITRE Corporation], which is the primary '''CVE Numbering Authority(CNA)'''.
 
For each assigned CVE two bugs are created: one is the parent bug which describes the issue in human understandable details and lists available fixes and a second is the child bug which is used to track progression of these fixes into individual products(Fedora, Fedora-EPEL etc.). The parent bug is a generic one; it is opened against '''Component: vulnerability'''. Child bugs are specific; they are opened against '''Component: <package-name>''' of an individual product and are marked with '''keywords: SecurityTracking'''.
 
-->
== How to get involved ==
=== Joining the team ===
 
Joining the Fedora Security Team is an easy, three-step process:
# subscribe to the {{fplist|security-team}} mailing list
# join us on the {{fpchat|#fedora-security-team}} IRC channel
# read the [[Security_Team_Work_Flow|work flow]]
 
Once you feel comfortable just jump in and start helping. If you have questions please ask on IRC or on the mailing list.
 
Also, please take a look at the proposed [[Security Team Apprenticeship]] program as this may help answer additional questions.
 
{{:Security Team Hall of Fame}}
 
[[Category:Security]]

Latest revision as of 18:39, 19 August 2016