* [cip-dev] [CIP Core] Criteria for prioritizing security fixes in Debian LTS
@ 2018-07-20 8:20 Daniel Sangorrin
2018-07-26 3:29 ` Ben Hutchings
0 siblings, 1 reply; 2+ messages in thread
From: Daniel Sangorrin @ 2018-07-20 8:20 UTC (permalink / raw)
To: cip-dev
Hello Ben,
As platinum-level sponsors of the Debian LTS, we (CIP members) can provide a list of packages that we rely on and that should be prioritized in terms of security support.
[Note] The list of packages from each member can be found here:
Ref: https://docs.google.com/spreadsheets/d/1hrhYnDYSxeA-ZXaHB329-CzgY8H4H5iHXP1AeFFdJDc/
[Note] The list can be updated at any time (by notifying deblts at freexian.com)
[Note] The votes will be weighted by the amount of money contributed.
[Note] The Customer recognizes that this contract is a best-effort contract
During the Open Source Summit in Japan, we discussed about how to prioritize those packages. I proposed to create a set of criteria and Agustin mentioned that it would be a good idea to have you (Ben) evaluate these criteria and its impact before attending to DebConf.
[Note] Based on your feedback, CIP will decide to contact the Freexian leads before the DebConf or not.
Without further delay, I would appreciate it if you reviewed the criteria below to prioritize security fixes:
1) Packages that are popular among members' package lists
[Rationale] popular packages are often the target of exploits
- Examples: bash, busybox[-static], zlib, sqlite3, iptables, net-tools, libcap2, util-linux, dropbear, libsqlite3, tzdata
2) CVEs with high "base score", high "impact score",
high "exploitability score", and low "attack complexity"
[Rationale] these CVEs usually refer to bugs that are easy to exploit
or have a high impact.
3) Network software (CVEs with "Access Vector (AV): Network")
[Rationale] bugs that can be exploited remotely are the most dangerous
- Network servers examples: apache2, nginx, openssh-server, openssh-sftp-server,
tftp-hpa, postgresql, nfs-kernel-server, strongswan, netcat,vsftpd
- Network libs examples: libssh, libssl, zeromq3, libsocketcan, net-snmp,
libnet, libnss, openldap, openvpn, libcurl..
- Network clients examples: openssh-client, sshpass, ntp, wireless-tools,
wget, obexftp, iproute2...
- Update software examples: apt, unattended-upgrades...
4) Security software
[Rationale] LSM modules, encryption, and authorization are the
foundation of a security-hardened system
- Examples: apparmor, libseccomp, libselinux, *crypt*, libnettle4, libkeyutils1, tpm2-tools, pam, login, passwd, pwauth, xauth, libsasl, php-auth, shadow, sudo...
5) Language runtimes/compilers
[Rationale] they are common to many applications.
- Examples: gcc, libc, libstdc++, lua, nodejs, openjdk, perl, python, tcl...
Best regards,
Daniel Sangorrin
^ permalink raw reply [flat|nested] 2+ messages in thread
* [cip-dev] [CIP Core] Criteria for prioritizing security fixes in Debian LTS
2018-07-20 8:20 [cip-dev] [CIP Core] Criteria for prioritizing security fixes in Debian LTS Daniel Sangorrin
@ 2018-07-26 3:29 ` Ben Hutchings
0 siblings, 0 replies; 2+ messages in thread
From: Ben Hutchings @ 2018-07-26 3:29 UTC (permalink / raw)
To: cip-dev
On Fri, 2018-07-20 at 17:20 +0900, Daniel Sangorrin wrote:
[...]
> Without further delay, I would appreciate it if you reviewed the
> criteria below to prioritize security fixes:
The criteria make sense to me. I have a few points:
> 1)??Packages that are popular among members' package lists
> [Rationale] popular packages are often the target of exploits
> - Examples: bash, busybox[-static], zlib, sqlite3, iptables, net-tools, libcap2, util-linux, dropbear, libsqlite3, tzdata
> 2) CVEs with high "base score", high "impact score",?
> ???high "exploitability score", and low "attack complexity"
> [Rationale] these CVEs usually refer to bugs that are easy to exploit
> or have a high impact.
> 3) Network software (CVEs with "Access Vector (AV): Network")
> [Rationale] bugs that can be exploited remotely are the most dangerous
> - Network servers examples: apache2, nginx, openssh-server, openssh-sftp-server,
> ??tftp-hpa, postgresql, nfs-kernel-server, strongswan, netcat,vsftpd
> - Network libs examples: libssh, libssl, zeromq3, libsocketcan, net-snmp,
> ??libnet, libnss, openldap, openvpn, libcurl..
> - Network clients examples: openssh-client, sshpass, ntp, wireless-tools,
> ??wget, obexftp, iproute2...
> - Update software examples: apt, unattended-upgrades...
I don't think remote filesystem implementations are security-
supportable over the period required by LTS, and I thought we agreed
that remote filesystem code in the kernel wouldn't be supported.
> 4) Security software
> [Rationale] LSM modules, encryption, and authorization are the
> foundation of a security-hardened system
> - Examples: apparmor, libseccomp, libselinux, *crypt*, libnettle4, libkeyutils1, tpm2-tools, pam, login, passwd, pwauth, xauth, libsasl, php-auth, shadow, sudo...
> 5) Language runtimes/compilers
> [Rationale] they are common to many applications.
> - Examples: gcc, libc, libstdc++, lua, nodejs, openjdk, perl, python, tcl...
You should probably discuss with the LTS team which version(s) of
OpenJDK are security supportable. Updates to OpenJDK are dependent on
upstream support.
Ben.
--
Ben Hutchings, Software Developer ? Codethink Ltd
https://www.codethink.co.uk/ Dale House, 35 Dale Street
Manchester, M1 2HF, United Kingdom
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2018-07-26 3:29 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-07-20 8:20 [cip-dev] [CIP Core] Criteria for prioritizing security fixes in Debian LTS Daniel Sangorrin
2018-07-26 3:29 ` Ben Hutchings
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.