|
|
| (One intermediate revision by one other user not shown) |
| Line 1: |
Line 1: |
| [[File:Fedora_Security_Team.png|200px|right|Fedora Security Team logo]]
| | #REDIRECT [[SIGs/Security]] |
| | |
| == Mission ==
| |
| {{:Security_Team_Mission}}
| |
| | |
| == Contact ==
| |
| | |
| If you need help or assistance with any issue, please feel free to contact the FST members at
| |
| | |
| * '''IRC''':
| |
| ** {{fpchat|#fedora-security}} - Security Team IRC channel
| |
| | |
| * '''Mailing lists''':
| |
| ** {{fplist|security}} - Security Team mailing list
| |
| | |
| * '''Weekly meetings''':
| |
| ** Every Thursday at 15:00 UTC. -> [[Security_Team_meetings|Schedule and Agenda]]
| |
| | |
| === Security Response ===
| |
| | |
| To '''report a vulnerability''' in software please follow the procedure outlined on the [[Security Bugs]] page.
| |
| | |
| To '''report a security concern''' within the Fedora Project please email security at fedoraproject dot org.
| |
| | |
| == What we do ==
| |
| | |
| Fedora Security Team (FST) has several missions that try to overlap to make Fedora a more secure operating environment. The following tasks are related to the Fedora security team.
| |
| | |
| === Vulnerability Patching Assistance ===
| |
| The main goal of this task is to make sure that known vulnerabilities are patched and shipped in a timely manner. By assisting package maintainers with patches it is hoped that vulnerability fixes can make to user systems before they become victim of an attack.
| |
| | |
| === Security Response ===
| |
| Security Response is responding to new vulnerabilities in a timely manner. Fedora currently relies on the services of [https://access.redhat.com/security/overview Red Hat Product Security] to process, work with upstream, and work with packagers to address security vulnerabilities.
| |
| | |
| === Secure Coding ===
| |
| Keeping vulnerabilities from being written in the first place should be the goal of any good security team and this team is no different. We strive to create documentation that explains how to avoid common pitfalls in software development and attempt to [https://fedorahosted.org/fedora-security-team/newticket answer any questions] that come our way.
| |
| | |
| === Code Auditing ===
| |
| Another service we'd like to offer in the future, code auditing will hopefully find vulnerabilities in code before a [http://www.techrepublic.com/blog/it-security/hacker-vs-cracker/ cracker] can take advantage.
| |
| | |
| <!--
| |
| Fedora Security Team aims to ensure that users are protected from vulnerabilities that exist in Fedora packages. Vulnerabilities are reported to Fedora package maintainers via [https://bugzilla.redhat.com/ Bugzilla] by Red Hat Product Security. These bugs are marked with '''keywords: SecurityTracking''' attribute in Bugzilla, for ex. => [https://bugzilla.redhat.com/show_bug.cgi?id=905374 CVE-2013-0333 rubygem-activesupport: json to yaml parsing]. The '''SecurityTracking''' keyword indicates that the bug could have security implications which need to be investigated.
| |
| | |
| We help package maintainers follow up with upstream developers to obtain a patch or a new release which fixes the issue. Once such patch or a new release is available, the package maintainer then builds a new version of the package and submits an update to the Fedora or EPEL repositories via [https://admin.fedoraproject.org/updates/ Bodhi].
| |
| | |
| | |
| === [https://cve.mitre.org/ CVEs] ===
| |
| | |
| CVE stands for '''Common Vulnerabilities and Exposures''' and is the global standard for uniquely identifying and tracking software security vulnerabilities. Each vulnerability in any package has a unique CVE ID assigned to it. If it is a new security issue, we need to [http://www.openwall.com/lists/oss-security/2014/09/07/1 request] a CVE ID for it from the [http://www.openwall.com/lists/oss-security/ oss-security] mailing list. Alternatively, we may also request CVEs from Red Hat via secalert@redhat.com. CVE ID are allocated by the [http://www.mitre.org/about/corporate-overview MITRE Corporation], which is the primary '''CVE Numbering Authority(CNA)'''.
| |
| | |
| For each assigned CVE two bugs are created: one is the parent bug which describes the issue in human understandable details and lists available fixes and a second is the child bug which is used to track progression of these fixes into individual products(Fedora, Fedora-EPEL etc.). The parent bug is a generic one; it is opened against '''Component: vulnerability'''. Child bugs are specific; they are opened against '''Component: <package-name>''' of an individual product and are marked with '''keywords: SecurityTracking'''.
| |
| | |
| -->
| |
| | |
| == How to get involved ==
| |
| === Joining the team ===
| |
| | |
| Joining the Fedora Security Team is an easy, three-step process:
| |
| # subscribe to the {{fplist|security}} mailing list,
| |
| # join us on the {{fpchat|#fedora-security}} IRC channel,
| |
| # take a look at the [[Security Team Tasks]], and
| |
| # read the [[Security_Team_Work_Flow|work flow]].
| |
| | |
| Once you feel comfortable just jump in and start helping. If you have questions please ask on IRC or on the mailing list.
| |
| | |
| Also, please take a look at the proposed [[Security Team Apprenticeship]] program as this may help answer additional questions.
| |
| | |
| {{:Security Team Hall of Fame}}
| |
| | |
| [[Category:Security]]
| |
