On 1/28/21 9:37 PM, Ken Moffat via blfs-dev wrote:
A little while ago I proposed separating out our Security
Advisories. What I would now like to do is create an *extra* page
in the www/ repo listing (and in a couple of mutt cases creating[1])
advisories from 1st September when BLFS-10.0 was released.
For changes to the books I would create a branch, but for
security advisories, just as for errata, the page needs to be
visible on the main LFS website otherwise the links will not work
(at least in my case, where I have separate repos for LFS, BLFS and
www2).
So, I'd like to add an extra page with a bit more detail and
crucially showing that Seamonkeyi as an example has had 5 advisories
(one was a change to the patch we were using).
If this flies, I suggest that eventually we reserve the Errata for
things which are not vulnerabilities, and at the end of the Errata
page add a link to the new BLFS Security Advisories page.
I'm thinking the format will be something like the following (not
necessarily what I originally suggested).
(title: BLFS Security Advisories from September 2020 onwards)
(heading: BLFS-10.0 was released on 2020/09/01
- intersperse a new heading for each release)
For each advisory: something like (not sure how this will look,
detail may change a bit, maybe initially with variations in the
layout for people to form opinions on what looks best)
SA 20YYMMNN Vulnerabilities in FuBar before version 1.2.3.
(some details, according to what is available for individual
advisories.)
(possible links to CVEs or other notifications - sometimes there
might be several CVEs)
To fix this, (either: mention some workaround, or) update to
FuBar-1.2.3 or later using the instructions in the development
books: [link for sysv labelled as FuBar (sysv)] [link for systemd
labelled as FuBar (systemd)]
NB link labels will NOT include versions, and if a package is only
in one book, the link for the other book would be marked as 'N/A'.
So, for e.g. firefox there would be several advisories, some also
for JS78, but all linking to the current development version (and
perhaps on release those should link to the version in the released
book).
In some cases the instructions may differ, e.g. for gstreamer in
October we told people to use the 1.16.3 series with the
instructions from the 10.0 book because 1.18 would break things.
Although the page will be on the lfs website, during this
prototyping it will not be linked from other pages - I'll post here
when I have something for people to review. There are "rather a
lot" of items since 10.0 was released.
Our main security guy is Doug, so I'd like to get his opinion before
I start, together with any views of "No, because ...".
I'm guessing the page should be at
http://www.linuxfromscratch.org/blfs/advisories/index.html
to fit in with blfs/errata/stable/index.html and
stable-systemd/index.html.
If this flies, perhaps also a direct link from
http://www.linuxfromscratch.org/blfs/read.html e.g. "Security
Advisories".
ĸen
1. The patch for 2.0.4 had a CVE although the maintainer and
reporter were ok without giving it one, and 2.0.5 has another
similar fix without a CVE, so both probably deserve advisories.
I'm OK with this in general, but we are two weeks from package freeze
for 10.1. After that is released we are planning on migrating the LFS
host to a new location and other major changes to the site. I think
this would be a good place to roll in this change with the other changes.
-- Bruce
--
http://lists.linuxfromscratch.org/listinfo/blfs-dev
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
