Differences between revisions 14 and 15
Revision 14 as of 2012-07-12 17:29:18
Size: 2066
Editor: LucianoBello
Comment:
Revision 15 as of 2013-02-17 10:30:15
Size: 1950
Comment:
Deletions are marked like this. Additions are marked like this.
Line 3: Line 3:
The security archive is autobuilt these days. Manual signing should no longer be neccesary. The only buildd still requiring manual signings is for arm, which will be retired with the end of support for lenny. The security archive is autobuilt these days. Manual signing should no longer be necessary.
Line 5: Line 5:
Most failed builds are rescheduled by the buildd admins. Otherwise they need to contacted at ARCH@buildd.debian.org Most failed builds are rescheduled by the buildd admins. Otherwise they need to contacted at ARCH@buildd.debian.org.
Line 28: Line 28:
When CVE IDs exist for the vulnerability, list them, with a description of the nature of the flaw (buffer overflow, XSS, integer overflow, etc.) and the worst-known exploitability (DoS, privelege escalation, arbitrary code). Note what's possible; don't downplay or overstate the threat. When CVE IDs exist for the vulnerability, list them, with a description of the nature of the flaw (buffer overflow, XSS, integer overflow, etc.) and the worst-known exploitability (DoS, privilege escalation, arbitrary code). Note what's possible; don't downplay or overstate the threat.

Signing the builds for binary:any updates

The security archive is autobuilt these days. Manual signing should no longer be necessary.

Most failed builds are rescheduled by the buildd admins. Otherwise they need to contacted at ARCH@buildd.debian.org.

Writing the advisory text

There's a fairly standard template for this in the secure-testing repository. You can run the command:

bin/gen-DSA --save <package> <vulnerability> "CVEs" '#bugs'

which will allocate a new DSA id from the list and generate a DSA draft. Don't forget to set $DEBFULLNAME and $DEBEMAIL in the environment.

Make sure to commit data/DSA/list, so that the ID is allocated. In this commit you may also want to include the version number of the fixed package. For example:

 [squeeze] - libxml2 2.7.8.dfsg-2+squeeze2
 [lenny] - libxml2 2.6.32.dfsg-5+lenny5

Once this is done, you can edit the saved DSA draft to add some information about the vulnerability, you can use an existing DSA from debian-security-announce as an example.

If updating a previous DSA, note what was wrong/missing about the previous one and how this update is different.

When CVE IDs exist for the vulnerability, list them, with a description of the nature of the flaw (buffer overflow, XSS, integer overflow, etc.) and the worst-known exploitability (DoS, privilege escalation, arbitrary code). Note what's possible; don't downplay or overstate the threat.

Give brief acknowledgment to the discoverer of the flaw, if they're known. If multiple people worked to assess the vulnerability, note them too.

Finally

Once all builds are available (only team@s.d.o has access to this) and the advisory text is ready, send a mail to team@security.debian.org. The update will be reviewed and released as described in the following section.