From Fedora Project Wiki

mNo edit summary
(Redirecting page to category page)
 
(40 intermediate revisions by 7 users not shown)
Line 1: Line 1:
== Mission ==
#REDIRECT [[Category:Security_Team]]
    <code>To provide utmost secure operating environment to the Fedora users.</code>
 
== How ==
Fedora Security Team aims to ensure that users are protected from any vulnerabilities that exist in Fedora packages. The vulnerabilities are reported to Fedora package maintainers via [https://bugzilla.redhat.com/ Bugzilla].
These bugs are marked with '''keywords: security''' attribute in Bugzilla, for ex. => [https://bugzilla.redhat.com/show_bug.cgi?id=838761 ndjbdns vulnerable to cve-2012-1191(ghost domain attack)]. The package maintainer then follows up with the upstream developers to obtain a patch or a new release which fixes the issue. Once such patch or a new release is available, package maintainer then builds a new version of the Fedora package and submits an update to the Fedora repositories via [https://admin.fedoraproject.org/updates/ Bodhi].
 
It is a fairly straight forward process. But the problems arise when package maintainers either don't understand the issue or are too busy to triage it in time. That is where the Fedora Security Team comes in to help. We work with the upstream developers to obtain the security fixes and help packager maintainers to push these fixes to the Fedora repositories.
 
=== [https://cve.mitre.org/ CVE] ===
 
CVE stands for '''Common Vulnerabilities and Exposures'''. It is the global standard used to uniquely identify and track information security vulnerabilities. Each vulnerability in any package has a unique CVE ID assigned to it. If it is a new issue, we need to [http://www.openwall.com/lists/oss-security/2014/09/07/1 request] a CVE ID for it from [http://www.openwall.com/lists/oss-security/ oss-security] list. The CVE ID is allocated by the [http://www.mitre.org/about/corporate-overview MITRE Corporation], which is the primary '''CVE Numbering Authority(CNA)'''.
 
For each assigned CVE, we create two bugs. First is the parent bug which describes the issue in human understandable details. Second is the child bug which is used to track fixes in individual products(Fedora, Fedora-EPEL etc.), that ship the vulnerable package. Parent bug is generic one; it is opened against '''Component: vulnerability'''. Child bugs are specific, they are opened against '''Component: <package-name>''' and are marked with '''keywords: SecurityTracking'''.
 
=== Work flow ===
 
If you wish to help make Fedora a secure operating environment, these steps shall come handy
 
# Select an open security bug from -> [https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&keywords=Security%2C%20SecurityTracking%2C%20&query_format=advanced Open issues].
# [[Security_Team#Taking_ownership_of_tracking_bugs|Own the bug]].
# Examine the bug details and validate if it is really a security issue.
# Determine if a fix is available and if the vulnerability is already fixed in Fedora by examining the current version and/or talking with the package maintainer.
# If a fix is not available, work with the upstream developers via email/mailing list/IRC channels to obtain a patch or new version which fixes the issue.
# Work with the package maintainer to get patch or fixed version packaged and pushed as a security update.
# GOTO 1;
 
 
== Taking ownership of tracking bugs ==
 
Each tracking bug we work on should have a person who owns it for several reasons. It would certainly be inefficient if the work was done twice, and collisions and misunderstandings might occur if two people tried to coordinate fix with upstream and packagers independently. For these reasons, we should indicate the fact we are working on the tracking bug by filling the Whiteboard of the bug with bugzilla login of the owner:
 
    Whiteboard: fst_owner=<owner>,[<owner2>,<owner3>]
 
As <owner> FAS ID should be used, as it simplifies further management.. For the list of bugzilla logins of Fedora Security Team see the [[Security Team Roster]].
 
For multiple FST owners FAS IDs should be comma-separated and NOT contain spaces.
 
{|width=100%
! width=20% | IRC Channel
| {{fpchat|#fedora-security-team}} <BR> {{fpchat|#fedora-security}}
|-
! Mailing List
| {{fplist|security-team}} - Security Team mailing list <BR> {{fplist|security}} - General security mailing list (good for questions)
|-
! Meetings
| [[Security_Team_meetings|Schedule and Agenda]]
|-
! Current issues
| [https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2661454&priority=urgent&query_format=advanced Critical Vulnerabilities] - [https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&f1=status_whiteboard&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2661454&o1=notsubstring&priority=urgent&query_format=advanced&v1=fst_owner%3D Unowned] <BR> [https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2661457&priority=high&query_format=advanced Important Vulnerabilities] - [https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&f1=status_whiteboard&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2661457&o1=notsubstring&priority=high&query_format=advanced&v1=fst_owner%3D Unowned] <BR> [https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2661461&priority=medium&query_format=advanced Moderate Vulnerabilities] - [https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&f1=status_whiteboard&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2661461&o1=notsubstring&priority=medium&query_format=advanced&v1=fst_owner%3D Unowned] <BR> [https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2661462&priority=low&query_format=advanced Low Vulnerabilities] - [https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&f1=status_whiteboard&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2661462&o1=notsubstring&priority=low&query_format=advanced&v1=fst_owner%3D Unowned] <BR> [https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2661465&priority=unspecified&query_format=advanced Unknown Vulnerabilities] - [https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&f1=status_whiteboard&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2661465&o1=notsubstring&priority=unspecified&query_format=advanced&v1=fst_owner%3D Unowned] <BR> [https://bugzilla.redhat.com/buglist.cgi?bug_status=POST&bug_status=MODIFIED&bug_status=ON_DEV&bug_status=ON_QA&classification=Fedora&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2719448&priority=unspecified&priority=urgent&priority=high&priority=medium&priority=low&query_format=advanced Bugs in MODIFIED, ON_DEV, ON_QA states] - [https://bugzilla.redhat.com/buglist.cgi?bug_status=POST&bug_status=MODIFIED&bug_status=ON_DEV&bug_status=ON_QA&classification=Fedora&f1=status_whiteboard&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2719448&o1=notsubstring&priority=unspecified&priority=urgent&priority=high&priority=medium&priority=low&query_format=advanced&v1=fst_owner%3D Unowned]
|}
 
== Hall of Fame ==
 
{{:Security Team Hall of Fame}}
 
== Getting Involved ==
Getting involved in the FST is easy.  First, subscribe to the {{fplist|security-team}} mailing list.  Next, join us in the {{fpchat|#fedora-security-team}} IRC channel.  Finally, read the [[Security_Team#Work_Flow|work flow]] and jump in.  If you have questions please asking them on IRC or on the list.
 
[[Category:Security]]

Latest revision as of 18:39, 19 August 2016