Re: [libvirt] [PATCH] Document security reporting handling process
On 07/01/2013 05:09 AM, Daniel Veillard wrote: On Fri, Jun 28, 2013 at 11:45:59AM -0600, Eric Blake wrote: On 06/04/2013 09:33 AM, Eric Blake wrote: On 06/04/2013 04:06 AM, Daniel P. Berrange wrote: From: Daniel P. Berrange berra...@redhat.com Signed-off-by: Daniel P. Berrange berra...@redhat.com --- docs/bugs.html.in| 12 + docs/contact.html.in | 12 + docs/securityprocess.html.in | 113 +++ docs/sitemap.html.in | 4 ++ 4 files changed, 141 insertions(+) create mode 100644 docs/securityprocess.html.in Did this ever get pushed? It should go in before 1.1.0 is released, particularly since we have already used this list to discuss CVE-2013-2218 (more details on Monday when embargo ends). Right, I pushed it ! thanks ! Daniel It's still missing from the web - I see the link under Bug reports, but http://libvirt.org/securityprocess.html gives me 404. Jan -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH] Document security reporting handling process
On Mon, Jul 01, 2013 at 10:37:29AM +0200, Ján Tomko wrote: On 07/01/2013 05:09 AM, Daniel Veillard wrote: On Fri, Jun 28, 2013 at 11:45:59AM -0600, Eric Blake wrote: On 06/04/2013 09:33 AM, Eric Blake wrote: On 06/04/2013 04:06 AM, Daniel P. Berrange wrote: From: Daniel P. Berrange berra...@redhat.com Signed-off-by: Daniel P. Berrange berra...@redhat.com --- docs/bugs.html.in| 12 + docs/contact.html.in | 12 + docs/securityprocess.html.in | 113 +++ docs/sitemap.html.in | 4 ++ 4 files changed, 141 insertions(+) create mode 100644 docs/securityprocess.html.in Did this ever get pushed? It should go in before 1.1.0 is released, particularly since we have already used this list to discuss CVE-2013-2218 (more details on Monday when embargo ends). Right, I pushed it ! thanks ! Daniel It's still missing from the web - I see the link under Bug reports, but http://libvirt.org/securityprocess.html gives me 404. I had to speed up the checkout on the web site, it's up there now ! Daniel -- Daniel Veillard | Open Source and Standards, Red Hat veill...@redhat.com | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ http://veillard.com/ | virtualization library http://libvirt.org/ -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH] Document security reporting handling process
On Fri, Jun 28, 2013 at 11:45:59AM -0600, Eric Blake wrote: On 06/04/2013 09:33 AM, Eric Blake wrote: On 06/04/2013 04:06 AM, Daniel P. Berrange wrote: From: Daniel P. Berrange berra...@redhat.com Historically security issues in libvirt have been primarily triaged fixed by the Red Hat libvirt members Red Hat security team, who then usually notify other vendors via appropriate channels. There have been a number of times when vendors have not been properly notified ahead of announcement. It has also disadvantaged community members who have to backport fixes to releases for which there are no current libvirt stable branches. To address this, we want to make the libvirt security process entirely community focused / driven. To this end I have setup a new email address libvirt-secur...@redhat.com for end users to report bugs which have (possible) security implications. Document how to report security bugs and the process that will be used for addressing them. Signed-off-by: Daniel P. Berrange berra...@redhat.com --- docs/bugs.html.in| 12 + docs/contact.html.in | 12 + docs/securityprocess.html.in | 113 +++ docs/sitemap.html.in | 4 ++ 4 files changed, 141 insertions(+) create mode 100644 docs/securityprocess.html.in Did this ever get pushed? It should go in before 1.1.0 is released, particularly since we have already used this list to discuss CVE-2013-2218 (more details on Monday when embargo ends). Right, I pushed it ! thanks ! Daniel -- Daniel Veillard | Open Source and Standards, Red Hat veill...@redhat.com | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ http://veillard.com/ | virtualization library http://libvirt.org/ -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH] Document security reporting handling process
On 06/04/2013 09:33 AM, Eric Blake wrote: On 06/04/2013 04:06 AM, Daniel P. Berrange wrote: From: Daniel P. Berrange berra...@redhat.com Historically security issues in libvirt have been primarily triaged fixed by the Red Hat libvirt members Red Hat security team, who then usually notify other vendors via appropriate channels. There have been a number of times when vendors have not been properly notified ahead of announcement. It has also disadvantaged community members who have to backport fixes to releases for which there are no current libvirt stable branches. To address this, we want to make the libvirt security process entirely community focused / driven. To this end I have setup a new email address libvirt-secur...@redhat.com for end users to report bugs which have (possible) security implications. Document how to report security bugs and the process that will be used for addressing them. Signed-off-by: Daniel P. Berrange berra...@redhat.com --- docs/bugs.html.in| 12 + docs/contact.html.in | 12 + docs/securityprocess.html.in | 113 +++ docs/sitemap.html.in | 4 ++ 4 files changed, 141 insertions(+) create mode 100644 docs/securityprocess.html.in Did this ever get pushed? It should go in before 1.1.0 is released, particularly since we have already used this list to discuss CVE-2013-2218 (more details on Monday when embargo ends). -- Eric Blake eblake redhat com+1-919-301-3266 Libvirt virtualization library http://libvirt.org signature.asc Description: OpenPGP digital signature -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH] Document security reporting handling process
On Tue, Jun 4, 2013 at 9:29 AM, Roman Bogorodskiy bogorods...@gmail.comwrote: Daniel P. Berrange wrote: On Tue, Jun 04, 2013 at 09:33:15AM -0600, Eric Blake wrote: On 06/04/2013 04:06 AM, Daniel P. Berrange wrote: From: Daniel P. Berrange berra...@redhat.com Historically security issues in libvirt have been primarily triaged fixed by the Red Hat libvirt members Red Hat security team, who then usually notify other vendors via appropriate channels. There have been a number of times when vendors have not been properly notified ahead of announcement. It has also disadvantaged community members who have to backport fixes to releases for which there are no current libvirt stable branches. To address this, we want to make the libvirt security process entirely community focused / driven. To this end I have setup a new email address libvirt-secur...@redhat.com for end users to report bugs which have (possible) security implications. This email addr is backed by an invitation only, private archive, mailing list. The intent is for the list membership to comprise a subset of the libvirt core team, along with any vendor security team engineers who wish to participate in a responsible disclosure process for libvirt. Members of the list will be responsible for analysing the problem to determine if a security issue exists and then issue fixes for all current official stable branches git master. I am proposing the following libvirt core team people as members of the security team / list (all cc'd): Daniel Berrange (Red Hat) Eric Blake (Red Hat) Jiri Denemar (Red Hat) Daniel Veillard (Red Hat) Jim Fehlig (SUSE) Doug Goldstein (Gentoo) Guido Günther (Debian) We don't have anyone from Ubuntu on the libvirt core team. Serge Hallyn is the most frequent submitter of patches from Ubuntu in recent history, so I'd like to invite him to join. Alternatively, Serge, feel free to suggest someone else to represent Ubuntu's interests. Is it worth adding any BSD representation? Roman Bogorodskiy might be the best candidate on that front. Yep, meant to mention that. I was not sure whether any *BSD is actually distributing formal libvirt packages to users yet, or if they're still just at the code porting stage. Roman, what's the status of the FreeBSD port / packaging effort from your POV ? FreeBSD has libvirt port: http://www.freshports.org/devel/libvirt/ It is maintained by Jason Helfman (CCed), so I think he's more appropriate person for such kind of things. From my side, I'd be happy to help also. Roman Bogorodskiy Packages are supplied to users as part of our standard package distribution sets for releases and standard updates of our package sets. It has been distributed as a package since it was committed to the FreeBSD ports tree. -jgh -- Jason Helfman | FreeBSD Committer j...@freebsd.org | http://people.freebsd.org/~jgh | The Power to Serve -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH] Document security reporting handling process
On 06/04/2013 04:06 AM, Daniel P. Berrange wrote: From: Daniel P. Berrange berra...@redhat.com Historically security issues in libvirt have been primarily triaged fixed by the Red Hat libvirt members Red Hat security team, who then usually notify other vendors via appropriate channels. There have been a number of times when vendors have not been properly notified ahead of announcement. It has also disadvantaged community members who have to backport fixes to releases for which there are no current libvirt stable branches. To address this, we want to make the libvirt security process entirely community focused / driven. To this end I have setup a new email address libvirt-secur...@redhat.com for end users to report bugs which have (possible) security implications. This email addr is backed by an invitation only, private archive, mailing list. The intent is for the list membership to comprise a subset of the libvirt core team, along with any vendor security team engineers who wish to participate in a responsible disclosure process for libvirt. Members of the list will be responsible for analysing the problem to determine if a security issue exists and then issue fixes for all current official stable branches git master. I am proposing the following libvirt core team people as members of the security team / list (all cc'd): Daniel Berrange (Red Hat) Eric Blake (Red Hat) Jiri Denemar (Red Hat) Daniel Veillard (Red Hat) Jim Fehlig (SUSE) Doug Goldstein (Gentoo) Guido Günther (Debian) We don't have anyone from Ubuntu on the libvirt core team. Serge Hallyn is the most frequent submitter of patches from Ubuntu in recent history, so I'd like to invite him to join. Alternatively, Serge, feel free to suggest someone else to represent Ubuntu's interests. Is it worth adding any BSD representation? Roman Bogorodskiy might be the best candidate on that front. If any other vendors/distros have security people who are responsible for dealing with libvirt security issues, and want to join to get early disclosure of issues, they can suggest people. Existing security team members will vet / approve such requests to ensure they are genuine. Anyone on the team / list will be **required** to honour any embargo period agreed between members for non-public issues that are reported. The aim will be to have a maximum 2 week embargo period in the common case, extendable to 1 month if there is sufficient justification made. If anyone feels they are unable to follow such an embargo process for whatever reason, please decline membership of the security list/team. The patch which follows puts up some docs on the website about all of this Document how to report security bugs and the process that will be used for addressing them. Signed-off-by: Daniel P. Berrange berra...@redhat.com --- docs/bugs.html.in| 12 + docs/contact.html.in | 12 + docs/securityprocess.html.in | 113 +++ docs/sitemap.html.in | 4 ++ 4 files changed, 141 insertions(+) create mode 100644 docs/securityprocess.html.in Thanks for tackling this. It definitely sounds useful, especially as your pending work on ACLs will mean that more issues might have CVE status (previously, a bug was generally treated as CVE-worthy only if it was provable that a read-only connection could cause denial-of-service to a read-write connection; but with ACLs, any action on a read-write connection that violates ACL boundaries of any other connection is a CVE). diff --git a/docs/bugs.html.in b/docs/bugs.html.in index 3d79b32..71e43e4 100644 --- a/docs/bugs.html.in +++ b/docs/bugs.html.in @@ -7,6 +7,18 @@ ul id=toc/ul +h2a name=securitySecurity Issues/a/h2 + +p + If you think that an issue with libvirt may have security + implications, strongplease do not/strong publically s/publically/publicly/ + report it in the bug tracker, mailing lists, or irc. Libvirt + has a href=securityprocess.htmla dedicated process for handling (potential) security issues/a Wrap the long line? + that should be used instead. So if your issue has security + implications, ignore the rest of this page and follow the + a href=securityprocess.htmlsecurity process/a instead. +/p + h2a name=bugzillaBug Tracking/a/h2 p diff --git a/docs/contact.html.in b/docs/contact.html.in index e34de67..51cc775 100644 --- a/docs/contact.html.in +++ b/docs/contact.html.in @@ -6,6 +6,18 @@ ul id=toc/ul +h2a name=securitySecurity Issues/a/h2 + +p + If you think that an issue with libvirt may have security + implications, strongplease do not/strong publically copy-paste, so same comments as above. + report it in the bug tracker, mailing lists, or irc. Libvirt + has a href=securityprocess.htmla
Re: [libvirt] [PATCH] Document security reporting handling process
On Tue, Jun 04, 2013 at 09:33:15AM -0600, Eric Blake wrote: On 06/04/2013 04:06 AM, Daniel P. Berrange wrote: From: Daniel P. Berrange berra...@redhat.com Historically security issues in libvirt have been primarily triaged fixed by the Red Hat libvirt members Red Hat security team, who then usually notify other vendors via appropriate channels. There have been a number of times when vendors have not been properly notified ahead of announcement. It has also disadvantaged community members who have to backport fixes to releases for which there are no current libvirt stable branches. To address this, we want to make the libvirt security process entirely community focused / driven. To this end I have setup a new email address libvirt-secur...@redhat.com for end users to report bugs which have (possible) security implications. This email addr is backed by an invitation only, private archive, mailing list. The intent is for the list membership to comprise a subset of the libvirt core team, along with any vendor security team engineers who wish to participate in a responsible disclosure process for libvirt. Members of the list will be responsible for analysing the problem to determine if a security issue exists and then issue fixes for all current official stable branches git master. I am proposing the following libvirt core team people as members of the security team / list (all cc'd): Daniel Berrange (Red Hat) Eric Blake (Red Hat) Jiri Denemar (Red Hat) Daniel Veillard (Red Hat) Jim Fehlig (SUSE) Doug Goldstein (Gentoo) Guido Günther (Debian) We don't have anyone from Ubuntu on the libvirt core team. Serge Hallyn is the most frequent submitter of patches from Ubuntu in recent history, so I'd like to invite him to join. Alternatively, Serge, feel free to suggest someone else to represent Ubuntu's interests. Is it worth adding any BSD representation? Roman Bogorodskiy might be the best candidate on that front. Yep, meant to mention that. I was not sure whether any *BSD is actually distributing formal libvirt packages to users yet, or if they're still just at the code porting stage. Roman, what's the status of the FreeBSD port / packaging effort from your POV ? Daniel -- |: http://berrange.com -o-http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH] Document security reporting handling process
Daniel P. Berrange wrote: On Tue, Jun 04, 2013 at 09:33:15AM -0600, Eric Blake wrote: On 06/04/2013 04:06 AM, Daniel P. Berrange wrote: From: Daniel P. Berrange berra...@redhat.com Historically security issues in libvirt have been primarily triaged fixed by the Red Hat libvirt members Red Hat security team, who then usually notify other vendors via appropriate channels. There have been a number of times when vendors have not been properly notified ahead of announcement. It has also disadvantaged community members who have to backport fixes to releases for which there are no current libvirt stable branches. To address this, we want to make the libvirt security process entirely community focused / driven. To this end I have setup a new email address libvirt-secur...@redhat.com for end users to report bugs which have (possible) security implications. This email addr is backed by an invitation only, private archive, mailing list. The intent is for the list membership to comprise a subset of the libvirt core team, along with any vendor security team engineers who wish to participate in a responsible disclosure process for libvirt. Members of the list will be responsible for analysing the problem to determine if a security issue exists and then issue fixes for all current official stable branches git master. I am proposing the following libvirt core team people as members of the security team / list (all cc'd): Daniel Berrange (Red Hat) Eric Blake (Red Hat) Jiri Denemar (Red Hat) Daniel Veillard (Red Hat) Jim Fehlig (SUSE) Doug Goldstein (Gentoo) Guido Günther (Debian) We don't have anyone from Ubuntu on the libvirt core team. Serge Hallyn is the most frequent submitter of patches from Ubuntu in recent history, so I'd like to invite him to join. Alternatively, Serge, feel free to suggest someone else to represent Ubuntu's interests. Is it worth adding any BSD representation? Roman Bogorodskiy might be the best candidate on that front. Yep, meant to mention that. I was not sure whether any *BSD is actually distributing formal libvirt packages to users yet, or if they're still just at the code porting stage. Roman, what's the status of the FreeBSD port / packaging effort from your POV ? FreeBSD has libvirt port: http://www.freshports.org/devel/libvirt/ It is maintained by Jason Helfman (CCed), so I think he's more appropriate person for such kind of things. From my side, I'd be happy to help also. Roman Bogorodskiy pgpY79snVb9r7.pgp Description: PGP signature -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list