From: ben.hutchings@codethink.co.uk (Ben Hutchings)
To: cip-dev@lists.cip-project.org
Subject: [cip-dev] [CIP Core] Criteria for prioritizing security fixes in Debian LTS
Date: Thu, 26 Jul 2018 11:29:42 +0800 [thread overview]
Message-ID: <1532575782.21552.51.camel@codethink.co.uk> (raw)
In-Reply-To: <000301d42002$87e767e0$97b637a0$@toshiba.co.jp>
On Fri, 2018-07-20 at 17:20 +0900, Daniel Sangorrin wrote:
[...]
> Without further delay, I would appreciate it if you reviewed the
> criteria below to prioritize security fixes:
The criteria make sense to me. I have a few points:
> 1)??Packages that are popular among members' package lists
> [Rationale] popular packages are often the target of exploits
> - Examples: bash, busybox[-static], zlib, sqlite3, iptables, net-tools, libcap2, util-linux, dropbear, libsqlite3, tzdata
> 2) CVEs with high "base score", high "impact score",?
> ???high "exploitability score", and low "attack complexity"
> [Rationale] these CVEs usually refer to bugs that are easy to exploit
> or have a high impact.
> 3) Network software (CVEs with "Access Vector (AV): Network")
> [Rationale] bugs that can be exploited remotely are the most dangerous
> - Network servers examples: apache2, nginx, openssh-server, openssh-sftp-server,
> ??tftp-hpa, postgresql, nfs-kernel-server, strongswan, netcat,vsftpd
> - Network libs examples: libssh, libssl, zeromq3, libsocketcan, net-snmp,
> ??libnet, libnss, openldap, openvpn, libcurl..
> - Network clients examples: openssh-client, sshpass, ntp, wireless-tools,
> ??wget, obexftp, iproute2...
> - Update software examples: apt, unattended-upgrades...
I don't think remote filesystem implementations are security-
supportable over the period required by LTS, and I thought we agreed
that remote filesystem code in the kernel wouldn't be supported.
> 4) Security software
> [Rationale] LSM modules, encryption, and authorization are the
> foundation of a security-hardened system
> - Examples: apparmor, libseccomp, libselinux, *crypt*, libnettle4, libkeyutils1, tpm2-tools, pam, login, passwd, pwauth, xauth, libsasl, php-auth, shadow, sudo...
> 5) Language runtimes/compilers
> [Rationale] they are common to many applications.
> - Examples: gcc, libc, libstdc++, lua, nodejs, openjdk, perl, python, tcl...
You should probably discuss with the LTS team which version(s) of
OpenJDK are security supportable. Updates to OpenJDK are dependent on
upstream support.
Ben.
--
Ben Hutchings, Software Developer ? Codethink Ltd
https://www.codethink.co.uk/ Dale House, 35 Dale Street
Manchester, M1 2HF, United Kingdom
prev parent reply other threads:[~2018-07-26 3:29 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-07-20 8:20 [cip-dev] [CIP Core] Criteria for prioritizing security fixes in Debian LTS Daniel Sangorrin
2018-07-26 3:29 ` Ben Hutchings [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1532575782.21552.51.camel@codethink.co.uk \
--to=ben.hutchings@codethink.co.uk \
--cc=cip-dev@lists.cip-project.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.