/[secure-testing]/doc/narrative_introduction
ViewVC logotype

Contents of /doc/narrative_introduction

Parent Directory Parent Directory | Revision Log Revision Log

Revision 5280 - (hide annotations) (download)
Tue Jan 16 22:27:40 2007 UTC (6 years, 4 months ago) by djoume-guest
File size: 16419 byte(s) 
Removed the reference to NVD scoring and add some details about how to set the
severity (from what have been said on the mailing list).
1 micah 2985 A Narrative Introduction to the Testing Security Tracker
2    
3    
4     About
5     -----
6    
7     Everything that Testing Security does is publically available, as in
8     "Debian doesn't hide problems" available.
9    
10     The best thing about our tracking 'system' is that it is very basic.
11     There is no horrible overhead of web-based ticket/issue trackers, its
12     just a subversion repository and some text files that we
13     collaboratively edit and then some scripts to parse these files and
14     generate useful reports available online. Everything is designed to be
15     very simple to use, transparant and easy to see what other people are
16     working on so you can work on other things.
17    
18     Why are these issues disclosed to the public?
19    
20     The way we look at it is that 99% of all vulnerabilities are already
21     public, and 1% are vendor-sec/embargoed issues.
22    
23     Stable security deals with embargoed/vendor-sec issues, we don't, we
24     deal with issues that have already been assigned CVE numbers (although
25     we often times request these assignments), have been posted to common
26     security mailing lists, or are seen in commit logs of software that is
27     tracked (such as the Linux Kernel).
28    
29     It is our philosophy that if the Internet knows that there is a
30     vulnerability in something, then we better know about it and the
31     package maintainer needs to know about it and it needs to be fixed as
32     soon as possible. It doesn't make sense to hide issues that everyone
33     knows about already, in fact users have told us that they prefer to
34     know not only when a package they have installed is vulnerable (so
35     they can disable it or firewall it off, or patch it or whatever), but
36     to also know that Debian is working on a fix. Transparancy is what our
37     users expect, and what they deserve. Tracking publically known issues
38     openly (and the occasional unfortunate embargoed issue privately) is
39     good for the project as a whole, especially the public's perception of
40     the project.
41    
42 micah 3520 Gentle Introduction
43 micah 2985 --------------------
44    
45     This following will give you a basic walk-through of how the files are
46     structured and how we do our work tracking issues. There is much more
47     that can be documented, but it is difficult to get all the issues
48     notated and updated. It is easier to get a basic idea and then
49     extrapolate from there how to do the rest. Ok, thats a bad excuse, so
50     the full information should be filled in.
51    
52     The best way to understand is to check out our repository from
53     subversion so you have the files on your computer and can follow along
54     at home. To do this, you need an Alioth account, and then you just
55     need to do the following:
56    
57     svn co svn+ssh://svn.debian.org/svn/secure-testing
58    
59     This will check out our working repository into a directory called
60     secure-testing. Inside this directory are a number of subdirectories.
61     The data directory is where we do most of our work.
62    
63 jmm-guest 2991 If you don't need write access, you can of course check out our files
64     without an Alioth account as well:
65    
66     svn co svn://svn.debian.org/svn/secure-testing
67    
68 micah 2985 Automatic Issue Updates
69     -----------------------
70     Twice a day a cronjob runs that pulls down the latest full CVE lists
71     from Mitre, this automatically gets checked into data/CVE/list. We get
72     notified via either email
73     (http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits)
74     of every SVN commit, by RSS feed
75     (http://svn.debian.org/wsvn/secure-testing/?op=rss&rev=0&sc=0&isdir=1)
76     or via the CIA bot on #debian-security on OFTC. For example, the bot
77     will say in the channel:
78    
79     17:14 < CIA-1> joeyh * r2314 /data/CVE/list: automatic CAN database update
80    
81     Most of our work is taking the new issues that Mitre releases and
82     processing them so that the tracking data is correct. Read on for how we
83     do this.
84    
85 neilm 5083 Processing TODO entries
86 micah 2985 -----------------------
87     The Mitre update typically manifests in new CVE entries. So what we do
88     is to update our svn repository and then edit data/CVE/list and look
89     for new TODO entries. These will often be in blocks of 10-50 or so,
90     depending on how many new issues they have assigned. Depending on how
91     you feel you will "claim" a block of say 10 new entries by
92     putting your name in the file at the beginning and the end of the new
93     TODO entries and then commit the repository. This looks like this:
94    
95     begin claimed by jmm
96     CVE-2005-4066 (Total Commander 6.53 uses weak encryption to store FTP
97     usernams and ...)
98     TODO: check
99     CVE-2005-4065 (SQL injection vulnerability in the search module in
100     Edgewall Trac ...)
101     TODO: check
102     CVE-2005-4030 (SQL injection vulnerability in Quicksilver Forums
103     before 1.5.1 allows ...)
104     TODO: check
105     end claimed by jmm
106    
107     Once these are checked-in, then others will not do work on these TODO
108     issues.
109    
110     Issues Not-For-Us (NFU)
111     -----------------------
112     Processing your claimed entires is done by first seeing if the issue
113     is related to any software packaged in Debian, if it isn't a package
114     in Debian and has no ITP then you note that in the file, for example:
115    
116     CVE-2005-3018 (Apple Safari allows remote attackers to cause a denial of
117     service ...)
118     NOT-FOR-US: Safari
119    
120 jmm-guest 3029 Reserved entries
121     ----------------
122     Several security problems have coordinated dates of public disclosure,
123     i.e. a CVE identifier has been assigned to a problem, but it's not
124     public yet. Also, several vendors have a pool of CVE ids they can
125     assign to problems that are detected in their products. Such entries
126     are marked as RESERVED in the tracker:
127 micah 2985
128 jmm-guest 3029 CVE-2005-1432
129     RESERVED
130    
131     Rejected entries
132     ----------------
133     Sometimes there are CVE assignments that later turn out to be duplicates,
134     mistakes or non-issues. These items are reverted and turned into REJECTED
135     entries:
136    
137     CVE-2005-4129
138     REJECTED
139    
140 micah 2985 ITP packages
141     ------------
142     If it is a package that someone has filed an RFP or ITP for, then that
143     is also noted, so it can be tracked to make sure that the issue is
144     resolved before the package enters the archive:
145    
146     CVE-2004-2525 (Cross-site scripting (XSS) vulnerability in compat.php
147     in Serendipity ...)
148     - serendipity <itp> (bug #312413)
149    
150    
151     Packages in the archive
152     -----------------------
153 neilm 5083 If it is a package in Debian, look to see if the package is affected or
154     not (sometimes newer versions that have the fixes have already been
155     uploaded).
156 micah 2985
157     If the version has been fixed already, note the package name and the
158     Debian version that fixes it and assign a severity level to it, for
159     example:
160    
161     CVE-2005-2596 (User.php in Gallery, as used in Postnuke, allows users
162     with any Admin ...)
163     - gallery 1.5-2 (medium)
164    
165 neilm 5083 If it hasn't been fixed, we determine if there has been a bug filed
166     about the issue, and if not, file one and then note it in the list
167     (again with a severity level):
168 micah 2985
169     CVE-2005-3054 (fopen_wrappers.c in PHP 4.4.0, and possibly other
170     versions, does not ...)
171     - php4 <unfixed> (bug #353585; medium)
172     - php5 <unfixed> (bug #353585; medium)
173    
174 stef-guest 4001 Bug numbers can be added as in the example above. To avoid duplicate bugs,
175     "bug filed" can be added instead of "bug #123456" when the bug report has
176     been sent but the bug number is not yet known. The bug numbers are used
177     to add additional references for the overview page and the Security Bug
178     Tracker and they are parsed by a script that generates user tags "tracked"
179     for the user debian-security@lists.debian.org. This way you can generate
180     a BTS query for all issues in the BTS that are tagged "security" and are
181     not yet added to our tracker:
182 jmm-guest 3039 http://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=security;users=debian-security@lists.debian.org;exclude=tracked
183    
184 jmm-guest 3029 If a vulnerability does not affect Debian, e.g. because the vulnerable
185     code is not contained, it is marked as <not-affected>:
186    
187     CVE-2004-2628 (Multiple directory traversal vulnerabilities in thttpd 2.07 beta 0.4, ...)
188     - thttpd <not-affected> (Windows-specific vulnerabilities)
189    
190     <not-affected> is also used if a vulnerability was fixed before a
191     package was uploaded into the Debian archive.
192    
193     Sometimes there are cases, where a vulnerability hasn't been fixed with
194     a code change, but simply by deciding that a package is that broken that
195     it needs to be removed from the archive entirely. This is tracked with
196     the <removed> tag:
197    
198     CVE-2005-1435 (Open WebMail (OWM) before 2.51 20050430 allows remote authenticated ...)
199     - openwebmail <removed>
200    
201    
202 jmm-guest 2991 Severity levels
203     ---------------
204     These levels are mostly used to prioritize the order in which security
205     problems are resolved. Anyway, we have a rough overview on how you should
206 djoume-guest 5280 assess these levels.
207 jmm-guest 2991
208     unimportant: This problem does not affect the Debian binary package, e.g.
209 djoume-guest 5280 a vulnerable source file, which is not built, a vulnerable file
210     in doc/foo/examples/, PHP Safe mode bugs, path disclosure (doesn't
211     matter on Debian).
212     All "non-issues in practice" fall also into this category, like
213     issues only "exploitable" if the code in question is setuid root,
214     exploits which only work if someone already has administrative
215     privileges or similar.
216    
217 jmm-guest 2991 low : A security problem, which has only mild security implications
218     and one would even be comfortable with if it continues to
219 djoume-guest 5280 be present (local DoS, /tmp file races and so on).
220    
221     medium : For anything which permits code execution after user interaction.
222     Local privilege escalation vulnerabilities are in this category as
223     well, or remote privilege escalation if it's constrained to the
224     application (i.e. no shell access to the underlying system, such
225     as simple cross-site scripting). Most remote DoS vulnerabilities
226     fall into this category, too.
227    
228 jmm-guest 2991 high : A typical, exploitable security problem, which you'll really
229 jmm-guest 3029 like to fix or at least implement a workaround. This could
230 jmm-guest 2991 be because the vulnerable code is very broadly used, because
231     an exploit is in the wild or because the attack vector is
232 djoume-guest 5280 very wide.
233     Should be put into that category anything that permits an attacker
234     to execute arbitrary code on the vulnerable system (with or
235     without root privileges) and high-impact denial-of-service bugs
236     (for instance, an IPv4 forwarding path vulnerability which
237     requires only very few packets to exploit).
238     Significant defects in security software can be rated "high" as
239     well (for instance, a vulnerability in a piece of cryptographic
240     software which flags forged digital signatures as genuine).
241 jmm-guest 2991
242 djoume-guest 5280
243     Certain packages may get higher or lower rating than usual, based on
244     their importance.
245    
246    
247 micah 2985 NOTE and TODO entries
248     ---------------------
249     There are many instances where more work has to be done to determine
250     if something is affected, and you might not be able to do this at the
251     time. These entries can have their TODO line changed to something
252     descriptive so that it is clear what remains to be done. For example:
253    
254     CVE-2005-3990 (Directory traversal vulnerability in FastJar 0.93
255     allows remote ...)
256     TODO: check, whether fastjar from the gcc source packages is affected
257    
258     It is also useful to add information to issues as you find it, so that
259     when others go to look at an issue and want to know why you marked it
260     as you did, or need a reference, it will be there. The more
261     information left, the better. For example, the following entry lets
262     you know that CVE-2005-3258 doesn't affect the squid that we have
263     because the issue was introduced in a patch that was never applied to
264     the Debian package:
265    
266     CVE-2005-3258 (The rfc1738_do_escape function in ftp.c for Squid 2.5
267     STABLE11 and ...)
268     - squid <not-affected> (bug #334882; medium)
269     NOTE: Bug was introduced in a patch to squid-2.5.STABLE10,
270     NOTE: this patch was never applied to the Debian package.
271    
272 jmm-guest 3027 Distribution tags
273     -----------------
274     Our data is primarily targeted at sid, as we track the version that
275     a certain issue was fixed in sid. The Security Tracker web site (see
276     below) derives information about the applicability of a vulnerability
277     to stable and oldstable from the list of DSAs issued by the security
278     team and the fact that a source package is part of a release.
279     Distribution tags can be used to denote information about a vulnerability
280     for the version of a package in a specific release. An example:
281 micah 2985
282 jmm-guest 3027 CVE-2005-3974 (Drupal 4.5.0 through 4.5.5 and 4.6.0 through 4.6.3, when running on ...)
283     - drupal 4.5.6-1 (low)
284     [sarge] - drupal <not-affected> (Only vulnerable if running PHP 5)
285    
286     Drupal has been fixed since 4.5.6, however Drupal from Sarge still isn't
287     vulnerable as the vulnerability is only effective when run under PHP 5,
288     which isn't part of Sarge.
289    
290 micah 2985 Generated Reports
291     -----------------
292     All of this tracking information gets automatically parsed and
293     compared against madison to determine what has been fixed and what is
294 joeyh 4589 still waiting, this results in this website:
295 micah 2985
296 joeyh 4589 http://security-tracker.debian.net/
297 micah 2985
298 joeyh 4589 It incorporates package lists and parses distribution lists and can
299     thus be used to
300     - Present the security history of a package
301     - Provide overviews of vulnerable packages in stable, testing, sid and
302     oldstable (it still has some false positives, wrt packages in
303     stable that are present in stable, but not vulnerable, but these
304     will be ironed out soon). The oldstable data is likely inaccurate.
305     - Generate a list of packages that are subject to security problems, but
306     stuck in testing migration due to problems with the dependency chain
307     and thus candidates for a DTSA
308     - Generate a list of TODO issues that need to be adressed
309     - Generate a list of packages that will enter Debian soon and need to
310     be checked for security problems
311     - Generate a list of provisional IDs that need to be turned into proper
312     CVE entries
313     - Show some potential problems in the data pool (e.g. misspelled package
314     names not found in the packages list, or potentially missing epochs)
315 micah 2985
316 joeyh 4589 For every security problem it displays
317     - The CVE information
318     - A severity assessment by NVD
319     - Cross references to DTSAs, DSAs and bugs in the BTS
320     - The status of a security problem in stable, oldstable, testing and sid
321     - Additional notes from our tracker
322 micah 2985
323 jmm-guest 3030 The DSA list
324     ------------
325     We maintain a list of all DSA advisories issued by the stable security
326     team. This information is used to derive information about the state
327     of security problems for the stable and oldstable distribution. An
328     entry for a DSA looks like this:
329    
330     [21 Nov 2005] DSA-903-1 unzip - race condition
331     {CVE-2005-2475}
332     [woody] - unzip 5.50-1woody4
333     [sarge] - unzip 5.52-1sarge2
334     NOTE: fixed in testing at time of DSA
335    
336 micah 3614 The first line tracks the date, when a DSA was issued, the DSA
337     identifier, the affected source package and the type of vulnerability.
338     The second line performs a cross-reference to the entry in CVE/list
339     that maintains the state of the vulnerability in sid. Every entry that
340     is added like this to DSA/list is parsed by a script and automatically
341     added to CVE/list. The next lines contain the fixes for stable and
342     optionally oldstable, addressed with distribution tags. You may add
343     NOTE: entries freely, we use a NOTE entry for statistical purposes
344     that tracks, when a fix has reached testing relative to the time when
345     it hit stable.
346 jmm-guest 3030
347 micah 3615 There is no need to add anything to CVE/list for a DSA, the DSA
348     cross-reference will be added automatically by the cron job. However,
349     you do need to add [sarge] or [woody] entries to CVE/list when there
350 micah 3614 is a 'no-dsa' or 'not-affected' condition.
351    
352 fw 3107 The bin/dsa2list script can be used to generate a template for a new
353     DSA entry once the official DSA is published on the web. You should
354     not blindly trust the script output and double-check it, though.
355    
356 micah 2985 Following up on security issues
357     -------------------------------
358     By simply loading this page and doing a little gardening of the
359     different issues many things can be done. One thing is that you can
360     read all the bug reports of each issue and see if new information has
361     been added to the end that might provide updated or changed
362     information (such as if an issue has been closed, or a version of the
363     package has been uploaded that contains the fix). It is also useful to
364     follow-up on the issues to prod the maintainer to deal with the issue,
365     which they may have forgotten about.
366    
367    
368     IRC Channel
369     -----------
370     We hang-out on #debian-security on OFTC, stop by the IRC channel if
371     you'd like, also we can add you to the alioth project so you have svn
372     write permission and you can test drive it on the testing issues for
373     however long you like to get an idea or feel comfortable (and hey it
374     helps!)
375    
376    
377     TODO:
378     document DTSAs
379     document tsck
380 jmm-guest 3032 document CVE-XXXX
381     document tracked tag
  ViewVC Help
Powered by ViewVC 1.1.5