[yocto-security] new mailing list to discuss CVEs/security related issues

Bruce Ashfield bruce.ashfield at windriver.com
Fri Mar 6 07:49:34 PST 2015 

On 15-03-06 04:46 AM, Sona Sarmadi wrote:
> Hi guys,
>
> Before broadcasting this to the yocto or openembedded-core lists, I would like to discuss some details with you guys since you are more involved in security/CVE updates in the Yocto. Please feel free to forward more people other lists if you think they should be notified.
>
>
> We have set up two security-related mailing lists:
> • Public List
> yocto-security at yoctoproject.org
> This is a public mailing list for anyone to subscribe to. This list is an open list to discuss public security issues/patches/ backport of CVEs etc .. inside the Yocto Project. Those who are active with security or want to be more involved in security, or are just curious and want to have some insight into the security work done within the Yocto project, please subscribe to this list and start using it!
>
> To subscribe to this list go to:
> https://lists.yoctoproject.org/listinfo/yocto-security
>
> • Private List
> security at yoctoproject.org (currently forwards to Michael Halstead and me)
> For private security reports, to report and discuss sensitive vulnerabilities in open source products and packages in a secure way.
>
>
> We need to have some internal process/policy/guidelines for dealing with security vulnerabilities, I will put the text below at Yocto Security page (https://wiki.yoctoproject.org/wiki/Security) so everyone can know how we deal with security inside the Yocto community. Please let me know what you think. Please feel free to add more info or remove anything you think is not relevant/correct.

There are some other parts of the security page that are a bit out
of date, or not completely accurate around the kernel. I can do the
edits (if I have the permissions), but otherwise, things look fine
to me.

Let me know if I should edit it directly.

See some minor edits/corrections below as well.

>
> A security vulnerability is detected:
> If you finds a security flaw; a crash, an information leakage or anything that can have a security impact if exploited in any Open Source packages used by Yocto Project, please report this to the Yocto Security Team. If you prefer to contact the upstream project directly, please copy security team at Yocto as well.

s/finds/find/

I think the branding and Marking folks would want us to always say
"the Yocto Project" versus "Yocto Project", so it is worth searching
and making that substitution.

> If you believe this is a sensitive information, please report the vulnerability in a secure way, i.e. encrypt email and send it to the private list.
> This way, bad guys out there in the world cannot immediately take advantage of the flaw and exploit vulnerable systems.

I'd just say something like:

This ensures that the exploit is not leaked and exploited before a
response/fix has been generated.

>
> What Yocto Security Team do when they receive a security vulnerability:

s/do/does/

> The team do quick analysis and report the flaw to the upstream project. Normally the upstream projects, research the problem and figure out if there really is a problem and how to deal with it.

Should be:

The team performs a quick analysis and reports the flaw ...

>
> If they deem that it is a real security problem in their software, the project then mail the linux-distros mailing list and notify all the big Linux distributions/vendors about the existence of this vulnerability/flaw. These mailing lists are normally non-public. The project and people on the linux-distros then can agree on a release date when the flaw should be made public.

s/then mail/then mails/
s/and notify/and notifies/

> There’s also sometimes some coordination for handling patches or backporting of patches etc, or just understanding the problem or what caused it.
>
> When the security issue is finally to be made public, normally upstream project is responsible to contact Mitre (cve-assign at mitre.org)  to get a CVE number assigned to it and copy other Opens Source Security mailing lists to inform the whole world of vulnerability.
>
> If an upstream project does not response quickly:
> If the upstream project does not fix the problem the Yocto's security team will contact linux-distros and community and together try to solve the vulnerability as quickly as possible.
> Normally big Linux vendors fix the problem if the problem affects their products.

Chances are that everyone from the enterprise distros to the commercial
Yocto vendors will get fixes done first, but it is nice to have saftey
net for issues that really are specific to oe and embedded.

Cheers,

Bruce

>
> Thanks
> //Sona
>

More information about the yocto-security mailing list