Yep, looks sensible... Acked-by: Ryan Moats <rmo...@us.ibm.com>
"dev" <dev-boun...@openvswitch.org> wrote on 03/29/2016 01:07:53 PM: > From: Ben Pfaff <b...@ovn.org> > To: dev@openvswitch.org > Cc: Ben Pfaff <b...@ovn.org> > Date: 03/29/2016 01:09 PM > Subject: [ovs-dev] [PATCH] SECURITY.md: Add advisory document details. > Sent by: "dev" <dev-boun...@openvswitch.org> > > Signed-off-by: Ben Pfaff <b...@ovn.org> > --- > SECURITY.md | 104 +++++++++++++++++++++++++++++++++++++++++++++++++ > ++++++++--- > 1 file changed, 100 insertions(+), 4 deletions(-) > > diff --git a/SECURITY.md b/SECURITY.md > index 08a6ed8..33b85b5 100644 > --- a/SECURITY.md > +++ b/SECURITY.md > @@ -101,16 +101,112 @@ determines that it is not a realistic vulnerability. > Step 3a: Document > ---------------- > > -The security team develops a security advisory document. The document > -credits the reporter and describes the vulnerability, including all of > -the relevant information from the assessment in step 2. The security > +The security team develops a security advisory document. The security > team may, at its discretion, include the reporter (via "CC") in > developing the security advisory document, but in any case should > accept feedback from the reporter before finalizing the document. > - > When the document is final, the security team should obtain a CVE for > the vulnerability from a CNA (https://cve.mitre.org/cve/cna.html). > > +The document credits the reporter and describes the vulnerability, > +including all of the relevant information from the assessment in step > +2. Suitable sections for the document include: > + > + * Title: The CVE identifier, a short description of the > + vulnerability. The title should mention Open vSwitch. > + > + In email, the title becomes the subject. Pre-release advisories > + are often passed around in encrypted email, which have plaintext > + subjects, so the title should not be too specific. > + > + * Description: A few paragraphs describing the general > + characteristics of the vulnerability, including the versions of > + Open vSwitch that are vulnerable, the kind of attack that > + exposes the vulnerability, and potential consequences of the > + attack. > + > + The description should re-state the CVE identifier, in case the > + subject is lost when an advisory is sent over email. > + > + * Mitigation: How an Open vSwitch administrator can minimize the > + potential for exploitation of the vulnerability, before applying > + a fix. If no mitigation is possible or recommended, explain > + why, to reduce the chance that at-risk users believe they are > + not at risk. > + > + * Fix: Describe how to fix the vulnerability, perhaps in terms of > + applying a source patch. The patch or patches themselves, if > + included in the email, should be at the very end of the advisory > + to reduce the risk that a reader would stop reading at this > + point. > + > + * Recommendation: A concise description of the security team's > + recommendation to users. > + > + * Acknowledgments: Thank the reporters. > + > + * Vulnerability Check: A step-by-step procedure by which a user > + can determine whether an installed copy of Open vSwitch is > + vulnerable. > + > + The procedure should clearly describe how to interpret the > + results, including expected results in vulnerable and > + not-vulnerable cases. Thus, procedures that produce clear and > + easily distinguished results are preferred. > + > + The procedure should assume as little understanding of Open > + vSwitch as possible, to make it more likely that a competent > + administrator who does not specialize in Open vSwitch can > + perform it successfully. > + > + The procedure should have minimal dependencies on tools that are > + not widely installed. > + > + Given a choice, the procedure should be one that takes at least > + some work to turn into a useful exploit. For example, a > + procedure based on "ovs-appctl" commands, which require local > + administrator access, is preferred to one that sends test > + packets to a machine, which only requires network connectivity. > + > + The section should say which operating systems it is designed > + for. If the procedure is likely to be specific to particular > + architectures (e.g. x86-64, i386), it should state on which ones > + it has been tested. > + > + This section should state the risks of the procedure. For > + example. if it can crash Open vSwitch or disrupt packet > + forwarding, say so. > + > + It is more useful to explain how to check an installed and > + running Open vSwitch than one built locally from source, but if > + it is easy to use the procedure from a sandbox environment, it > + can be helpful to explain how to do so. > + > + * Patch: If a patch or patches are available, and it is practical > + to include them in the email, put them at the end. Format them > + as described in CONTRIBUTING.md, that is, as output by "git > + format-patch". > + > + The patch subjects should include the version for which they are > + suited, e.g. "[PATCH branch-2.3]" for a patch against Open > + vSwitch 2.3.x. If there are multiple patches for multiple > + versions of Open vSwitch, put them in separate sections with > + clear titles. > + > + Multiple patches for a single version of Open vSwitch, that must > + be stacked on top of each other to fix a single vulnerability, > + are undesirable because users are less likely to apply all of > + them correctly and in the correct order. > + > + Each patch should include a Vulnerability tag with the CVE > + identifier, a Reported-by tag or tags to credit the reporters, > + and a Signed-off-by tag to acknowledge the Developer's > + Certificate of Origin. It should also include other appropriate > + tags, such as Acked-by tags obtained during review. > + > +CVE-2016-2074 is an example advisory document, available at: > + http://openvswitch.org/pipermail/announce/2016-March/000082.html > + > > Step 3b: Fix > ------------ > -- > 2.1.3 > > _______________________________________________ > dev mailing list > dev@openvswitch.org > http://openvswitch.org/mailman/listinfo/dev _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev