From Fedora Project Wiki

Revision as of 14:31, 26 March 2015 by Sparks (talk | contribs) (→‎Contact)

Mission

To provide the utmost secure operating environment to Fedora users.

Contact

If you need help or assistance with any issue, please feel free to contact the FST members at

Get involved

Fedora Security Team aims to ensure that users are protected from any vulnerabilities that exist in Fedora packages. The vulnerabilities are reported to Fedora package maintainers via Bugzilla. These bugs are marked with keywords: Security attribute in Bugzilla, for ex. => ndjbdns vulnerable to cve-2012-1191(ghost domain attack). The Security keywords indicates that the bug could have security implications which need to be investigated. The package maintainer then follows up with the upstream developers to obtain a patch or a new release which fixes the issue. Once such patch or a new release is available, package maintainer then builds a new version of the Fedora package and submits an update to the Fedora repositories via Bodhi.

It is a straight forward process. But the problems arise when package maintainers either don't understand the issue or are too busy to triage it in time. That is where the Fedora Security Team comes in to help. We work with the upstream developers to obtain the security fixes and help package maintainers to push these fixes to the Fedora repositories.

CVE

CVE stands for Common Vulnerabilities and Exposures. It is the global standard to uniquely identify and track information security vulnerabilities. Each vulnerability in any package has a unique CVE ID assigned to it. If it is a new security issue, we need to request a CVE ID for it from the oss-security mailing list. CVE ID are allocated by the MITRE Corporation, which is the primary CVE Numbering Authority(CNA).

For each assigned CVE, we create two bugs. First is the parent bug which describes the issue in human understandable details and lists available fixes. Second is the child bug which is used to track progression of these fixes into individual products(Fedora, Fedora-EPEL etc.), which ship the vulnerable package. Parent bug is a generic one; it is opened against Component: vulnerability. Child bugs are specific; they are opened against Component: <package-name> of an individual product and are marked with keywords: SecurityTracking.

Work flow

Joining the Fedora Security Team is easy. First, subscribe to the security-team mailing list. Second, join us on the #fedora-security-team[?] IRC channel. And third, read the work flow and jump in. If you have questions please ask on IRC or on the mailing list.

  1. Select an open security bug from -> Open issues.
  2. Own the bug.
  3. Examine the bug details and validate if it is really a security issue.
  4. Determine if a fix is available and if the vulnerability is already fixed in Fedora by examining the current version and/or talking with the package maintainer.
  5. If a fix is not available, work with the upstream developers via email/mailing list/IRC channels to obtain a patch or new version which fixes the issue.
  6. Work with the package maintainer to get patch or fixed version packaged and pushed as a security update.
  7. GOTO 1;

Ownership

Each tracking bug should have an owner for several reasons. It would certainly be inefficient if the work was done twice. At times collisions and misunderstandings might occur if two people tried to coordinate a fix with an upstream developer independently. For these reasons, we should indicate the fact that we are working on the tracking bug by filling the Whiteboard of the bug with Bugzilla user name of the owner:

   Whiteboard: fst_owner=<owner>,[<owner2>,<owner3>]

As <owner> FAS ID should be used; It simplifies further management. For the list of Bugzilla user names of the Fedora Security Team see the Security Team Roster.

Note: For multiple FST owners FAS IDs should be comma-separated and NOT contain spaces.

Bugzilla Links

Tools/Resources