1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
|
A Narrative Introduction to the Testing Security Tracker
About
-----
Everything that Testing Security does is publicly available, as in
"Debian doesn't hide problems" available.
The best thing about our tracking 'system' is that it is very basic.
There is no horrible overhead of web-based ticket/issue trackers, its
just a subversion repository and some text files that we
collaboratively edit and then some scripts to parse these files and
generate useful reports available online. Everything is designed to be
very simple to use, transparent and easy to see what other people are
working on so you can work on other things.
Why are these issues disclosed to the public?
The way we look at it is that 99% of all vulnerabilities are already
public, and 1% are vendor-sec/embargoed issues.
Stable security deals with embargoed/vendor-sec issues, we don't, we
deal with issues that have already been assigned CVE numbers (although
we often times request these assignments), have been posted to common
security mailing lists, or are seen in commit logs of software that is
tracked (such as the Linux Kernel).
It is our philosophy that if the Internet knows that there is a
vulnerability in something, then we better know about it and the
package maintainer needs to know about it and it needs to be fixed as
soon as possible. It doesn't make sense to hide issues that everyone
knows about already, in fact users have told us that they prefer to
know not only when a package they have installed is vulnerable (so
they can disable it or firewall it off, or patch it or whatever), but
to also know that Debian is working on a fix. Transparency is what our
users expect, and what they deserve. Tracking publicly known issues
openly (and the occasional unfortunate embargoed issue privately) is
good for the project as a whole, especially the public's perception of
the project.
Gentle Introduction
--------------------
This following will give you a basic walk-through of how the files are
structured and how we do our work tracking issues. There is much more
that can be documented, but it is difficult to get all the issues
notated and updated. It is easier to get a basic idea and then
extrapolate from there how to do the rest. Ok, thats a bad excuse, so
the full information should be filled in.
The best way to understand is to check out our repository from
subversion so you have the files on your computer and can follow along
at home. To do this, you need an Alioth account, and then you just
need to do the following:
svn co svn+ssh://svn.debian.org/svn/secure-testing
This will check out our working repository into a directory called
secure-testing. Inside this directory are a number of subdirectories.
The data directory is where we do most of our work.
If you don't need write access, you can of course check out our files
without an Alioth account as well:
svn co svn://svn.debian.org/svn/secure-testing
Automatic Issue Updates
-----------------------
Twice a day a cronjob runs that pulls down the latest full CVE lists
from Mitre, this automatically gets checked into data/CVE/list. We get
notified via either email
(http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits)
of every SVN commit, by RSS feed
(http://svn.debian.org/wsvn/secure-testing/?op=rss&rev=0&sc=0&isdir=1)
or via the CIA bot on #debian-security on OFTC. For example, the bot
will say in the channel:
17:14 < CIA-1> joeyh * r2314 /data/CVE/list: automatic CAN database update
Most of our work is taking the new issues that Mitre releases and
processing them so that the tracking data is correct. Read on for how we
do this.
Processing TODO entries
-----------------------
The Mitre update typically manifests in new CVE entries. So what we do
is to update our svn repository and then edit data/CVE/list and look
for new TODO entries. These will often be in blocks of 10-50 or so,
depending on how many new issues they have assigned. Depending on how
you feel you will "claim" a block of say 10 new entries by
putting your name in the file at the beginning and the end of the new
TODO entries and then commit the repository. This looks like this:
begin claimed by jmm
CVE-2005-4066 (Total Commander 6.53 uses weak encryption to store FTP
usernams and ...)
TODO: check
CVE-2005-4065 (SQL injection vulnerability in the search module in
Edgewall Trac ...)
TODO: check
CVE-2005-4030 (SQL injection vulnerability in Quicksilver Forums
before 1.5.1 allows ...)
TODO: check
end claimed by jmm
Once these are checked-in, then others will not do work on these TODO
issues.
Issues Not-For-Us (NFU)
-----------------------
Processing your claimed entries is done by first seeing if the issue
is related to any software packaged in Debian, if it isn't a package
in Debian and has no ITP then you note that in the file, for example:
CVE-2005-3018 (Apple Safari allows remote attackers to cause a denial of
service ...)
NOT-FOR-US: Safari
Reserved entries
----------------
Several security problems have coordinated dates of public disclosure,
i.e. a CVE identifier has been assigned to a problem, but it's not
public yet. Also, several vendors have a pool of CVE ids they can
assign to problems that are detected in their products. Such entries
are marked as RESERVED in the tracker:
CVE-2005-1432
RESERVED
Rejected entries
----------------
Sometimes there are CVE assignments that later turn out to be duplicates,
mistakes or non-issues. These items are reverted and turned into REJECTED
entries:
CVE-2005-4129
REJECTED
ITP packages
------------
If it is a package that someone has filed an RFP or ITP for, then that
is also noted, so it can be tracked to make sure that the issue is
resolved before the package enters the archive:
CVE-2004-2525 (Cross-site scripting (XSS) vulnerability in compat.php
in Serendipity ...)
- serendipity <itp> (bug #312413)
Packages in the archive
-----------------------
If it is a package in Debian, look to see if the package is affected or
not (sometimes newer versions that have the fixes have already been
uploaded).
If the version has been fixed already, note the package name and the
Debian version that fixes it and assign a severity level to it, for
example:
CVE-2005-2596 (User.php in Gallery, as used in Postnuke, allows users
with any Admin ...)
- gallery 1.5-2 (medium)
If it hasn't been fixed, we determine if there has been a bug filed
about the issue, and if not, file one and then note it in the list
(again with a severity level):
CVE-2005-3054 (fopen_wrappers.c in PHP 4.4.0, and possibly other
versions, does not ...)
- php4 <unfixed> (bug #353585; medium)
- php5 <unfixed> (bug #353585; medium)
Bug numbers can be added as in the example above. To avoid duplicate bugs,
"bug filed" can be added instead of "bug #123456" when the bug report has
been sent but the bug number is not yet known. The bug numbers are used
to add additional references for the overview page and the Security Bug
Tracker and they are parsed by a script that generates user tags "tracked"
for the user debian-security@lists.debian.org. This way you can generate
a BTS query for all issues in the BTS that are tagged "security" and are
not yet added to our tracker:
http://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=security;users=debian-security@lists.debian.org;exclude=tracked
A special exception is made for kernel related issues. The kernel-sec group will take
care of them and file bugs if needed.
If a vulnerability does not affect Debian, e.g. because the vulnerable
code is not contained, it is marked as <not-affected>:
CVE-2004-2628 (Multiple directory traversal vulnerabilities in thttpd 2.07 beta 0.4, ...)
- thttpd <not-affected> (Windows-specific vulnerabilities)
<not-affected> is also used if a vulnerability was fixed before a
package was uploaded into the Debian archive.
Sometimes there are cases, where a vulnerability hasn't been fixed with
a code change, but simply by deciding that a package is that broken that
it needs to be removed from the archive entirely. This is tracked with
the <removed> tag:
CVE-2005-1435 (Open WebMail (OWM) before 2.51 20050430 allows remote authenticated ...)
- openwebmail <removed>
After a new Debian release, some packages vanish from the database,
and consistency checks might fail. In this case, a single <removed>
entry needs to be added to an input file, or the package name should
be included in the data/packages/removed-packages file.
Severity levels
---------------
These levels are mostly used to prioritize the order in which security
problems are resolved. Anyway, we have a rough overview on how you should
assess these levels.
unimportant: This problem does not affect the Debian binary package, e.g.
a vulnerable source file, which is not built, a vulnerable file
in doc/foo/examples/, PHP Safe mode bugs, path disclosure (doesn't
matter on Debian).
All "non-issues in practice" fall also into this category, like
issues only "exploitable" if the code in question is setuid root,
exploits which only work if someone already has administrative
privileges or similar.
low : A security problem, which has only mild security implications
and one would even be comfortable with if it continues to
be present (local DoS, /tmp file races and so on).
medium : For anything which permits code execution after user interaction.
Local privilege escalation vulnerabilities are in this category as
well, or remote privilege escalation if it's constrained to the
application (i.e. no shell access to the underlying system, such
as simple cross-site scripting). Most remote DoS vulnerabilities
fall into this category, too.
high : A typical, exploitable security problem, which you'll really
like to fix or at least implement a workaround. This could
be because the vulnerable code is very broadly used, because
an exploit is in the wild or because the attack vector is
very wide.
Should be put into that category anything that permits an attacker
to execute arbitrary code on the vulnerable system (with or
without root privileges) and high-impact denial-of-service bugs
(for instance, an IPv4 forwarding path vulnerability which
requires only very few packets to exploit).
Significant defects in security software can be rated "high" as
well (for instance, a vulnerability in a piece of cryptographic
software which flags forged digital signatures as genuine).
Certain packages may get higher or lower rating than usual, based on
their importance.
NOTE and TODO entries
---------------------
There are many instances where more work has to be done to determine
if something is affected, and you might not be able to do this at the
time. These entries can have their TODO line changed to something
descriptive so that it is clear what remains to be done. For example:
CVE-2005-3990 (Directory traversal vulnerability in FastJar 0.93
allows remote ...)
TODO: check, whether fastjar from the gcc source packages is affected
It is also useful to add information to issues as you find it, so that
when others go to look at an issue and want to know why you marked it
as you did, or need a reference, it will be there. The more
information left, the better. For example, the following entry lets
you know that CVE-2005-3258 doesn't affect the squid that we have
because the issue was introduced in a patch that was never applied to
the Debian package:
CVE-2005-3258 (The rfc1738_do_escape function in ftp.c for Squid 2.5
STABLE11 and ...)
- squid <not-affected> (bug #334882; medium)
NOTE: Bug was introduced in a patch to squid-2.5.STABLE10,
NOTE: this patch was never applied to the Debian package.
Distribution tags
-----------------
Our data is primarily targeted at sid, as we track the version that
a certain issue was fixed in sid. The Security Tracker web site (see
below) derives information about the applicability of a vulnerability
to stable and oldstable from the list of DSAs issued by the security
team and the fact that a source package is part of a release.
Distribution tags can be used to denote information about a vulnerability
for the version of a package in a specific release. An example:
CVE-2005-3974 (Drupal 4.5.0 through 4.5.5 and 4.6.0 through 4.6.3, when running on ...)
- drupal 4.5.6-1 (low)
[sarge] - drupal <not-affected> (Only vulnerable if running PHP 5)
Drupal has been fixed since 4.5.6, however Drupal from Sarge still isn't
vulnerable as the vulnerability is only effective when run under PHP 5,
which isn't part of Sarge.
Generated Reports
-----------------
All of this tracking information gets automatically parsed and
compared against madison to determine what has been fixed and what is
still waiting, this results in this website:
http://security-tracker.debian.net/
It incorporates package lists and parses distribution lists and can
thus be used to
- Present the security history of a package
- Provide overviews of vulnerable packages in stable, testing, sid and
oldstable (it still has some false positives, wrt packages in
stable that are present in stable, but not vulnerable, but these
will be ironed out soon). The oldstable data is likely inaccurate.
- Generate a list of packages that are subject to security problems, but
stuck in testing migration due to problems with the dependency chain
and thus candidates for a DTSA
- Generate a list of TODO issues that need to be addressed
- Generate a list of packages that will enter Debian soon and need to
be checked for security problems
- Generate a list of provisional IDs that need to be turned into proper
CVE entries
- Show some potential problems in the data pool (e.g. misspelled package
names not found in the packages list, or potentially missing epochs)
For every security problem it displays
- The CVE information
- A severity assessment by NVD
- Cross references to DTSAs, DSAs and bugs in the BTS
- The status of a security problem in stable, oldstable, testing and sid
- Additional notes from our tracker
The DSA list
------------
We maintain a list of all DSA advisories issued by the stable security
team. This information is used to derive information about the state
of security problems for the stable and oldstable distribution. An
entry for a DSA looks like this:
[21 Nov 2005] DSA-903-1 unzip - race condition
{CVE-2005-2475}
[woody] - unzip 5.50-1woody4
[sarge] - unzip 5.52-1sarge2
NOTE: fixed in testing at time of DSA
The first line tracks the date, when a DSA was issued, the DSA
identifier, the affected source package and the type of vulnerability.
The second line performs a cross-reference to the entry in CVE/list
that maintains the state of the vulnerability in sid. Every entry that
is added like this to DSA/list is parsed by a script and automatically
added to CVE/list. The next lines contain the fixes for stable and
optionally oldstable, addressed with distribution tags. You may add
NOTE: entries freely, we use a NOTE entry for statistical purposes
that tracks, when a fix has reached testing relative to the time when
it hit stable.
There is no need to add anything to CVE/list for a DSA, the DSA
cross-reference will be added automatically by the cron job. However,
you do need to add [sarge] or [woody] entries to CVE/list when there
is a 'no-dsa' or 'not-affected' condition.
The bin/dsa2list script can be used to generate a template for a new
DSA entry once the official DSA is published on the web. You should
not blindly trust the script output and double-check it, though.
Following up on security issues
-------------------------------
By simply loading this page and doing a little gardening of the
different issues many things can be done. One thing is that you can
read all the bug reports of each issue and see if new information has
been added to the end that might provide updated or changed
information (such as if an issue has been closed, or a version of the
package has been uploaded that contains the fix). It is also useful to
follow-up on the issues to prod the maintainer to deal with the issue,
which they may have forgotten about.
IRC Channel
-----------
We hang-out on #debian-security on OFTC, stop by the IRC channel if
you'd like, also we can add you to the alioth project so you have svn
write permission and you can test drive it on the testing issues for
however long you like to get an idea or feel comfortable (and hey it
helps!)
TODO:
document DTSAs
document tsck
document CVE-XXXX
document tracked tag
|
