Arch Security Team
Arch Security Team は Arch Linux パッケージのセキュリティ問題を追跡することを目的としたボランティアグループです。全ての問題は Arch Linux security tracker で追跡されています。このチームは以前は Arch CVE Monitoring Team として知られていました。
目次
目的
Arch Security Team の使命は、Arch Linux のセキュリティの向上に貢献することです。
チームの最も重要な任務は、Common Vulnerabilities and Exposure に割り当てられた問題を発見し追跡することです。(CVE)といいます。CVE は公開されており、CVE-YYYY-numberという形のユニークな ID で識別されます。
彼らは ASA (Arch Linux Security Advisory) を発行しており、これは Arch ユーザに配布される Arch 固有の警告です。ASA はピアレビューのために tracker にスケジュールされ、公開される前にチームメンバーから2つの承認が必要です。
Arch Linux security tracker は Arch Security Team がパッケージの追跡、CVE の追加、アドバイザリーテキストの生成に使用しているプラットフォームです。
貢献する
脆弱性の特定に関与するためには、以下を推奨します。
- IRC チャンネル #archlinux-security をフォローする。このチャンネルは CVE、影響を受けるパッケージ、最初に修正されたパッケージの バージョンを報告し、議論するための主要なコミュニケーションメディアです。
- 新しい問題について早期に警告を受けるために、新しい CVE について推奨される #Mailing lists を監視し、必要であれば他の情報源も利用することができます。
- ボランティアで勧告に目を通し、間違いや質問、コメントを探し、IRC チャンネルで 報告することをお勧めします。
- メーリングリスト arch-security と oss-security を購読してください。
- arch-security-tracker (GitHub) プロジェクトにコードをコミットすることは、チームに貢献するための素晴らしい方法です。
- Arch Linux のパッケージリポジトリに依存している派生ディストリビューションは誰でも貢献することが推奨されます。これはすべてのユーザーのセキュリティに役立ちます。
Procedure
The procedure to follow whenever a security vulnerability has been found in a software packaged within the Arch Linux official repositories is the following:
Information sharing and investigation phase
- Reach out an Arch Security Team member via your preferred channel to ensure the issue has been brought to the attention of the team.
- In order to substantiate the vulnerability, verify the CVE report against the current package version (including possible patches), and collect as much information as possible on the issue, including via search engines. If you need help to investigate the security issue, ask for advice or support on the IRC channel.
Upstream situation and bug reporting
Two situations may arise:
- If upstream released a new version that fixes the issue, the Security Team member should flag the package out-of-date.
- If the package has not been updated after a long delay, a bug report should be filed about the vulnerability.
- If this is a critical security issue, a bug report must be filed immediately after flagging the package out-of-date.
- If there is no upstream release available, a bug report must be filed including the patches for mitigation. The following information must be provided in the bug report:
- Description about the security issue and its impact
- Links to the CVE-IDs and (upstream) report
- If no release is available, links to the upstream patches (or attachments) that mitigate the issue
Tracking and publishing
The following tasks must be performed by team members:
- A team member will create an advisory on the security tracker and add the CVEs for tracking.
- A team member with access to arch-security will generate an ASA from the tracker and publish it.
Resources
RSS
- National Vulnerability Database (NVD)
- All CVE vulnerabilites: https://nvd.nist.gov/download/nvd-rss.xml
- All fully analyzed CVE vulnerabilities: https://nvd.nist.gov/download/nvd-rss-analyzed.xml
Mailing lists
- oss-sec
- Main list dealing with security of free software, a lot of CVE attributions happen here, required if you wish to follow security news.
- Info: https://oss-security.openwall.org/wiki/mailing-lists/oss-security
- Subscribe: oss-security-subscribe(at)lists.openwall.com
- Archive: https://www.openwall.com/lists/oss-security/
- BugTraq
- A full disclosure moderated mailing list (noisy).
- Info: https://www.securityfocus.com/archive/1/description
- Subscribe: bugtraq-subscribe(at)securityfocus.com
- Full Disclosure
- Another full-disclosure mailing-list (noisy).
- Info: https://nmap.org/mailman/listinfo/fulldisclosure
- Subscribe: full-disclosure-request(at)seclists.org
Also consider following the mailing lists for specific packages, such as LibreOffice, X.org, Puppetlabs, ISC, etc.
Other distributions
Resources of other distributions (to look for CVE, patch, comments etc.):
- RedHat and Fedora
- Advisories feed: https://bodhi.fedoraproject.org/rss/updates/?type=security
- CVE tracker: https://access.redhat.com/security/cve/<CVE-ID>
- Bug tracker: https://bugzilla.redhat.com/show_bug.cgi?id=<CVE-ID>
- Ubuntu
- Advisories feed: https://usn.ubuntu.com/usn/atom.xml
- CVE tracker: https://people.canonical.com/~ubuntu-security/cve/?cve=<CVE-ID>
- Database: https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master
- Debian
- CVE tracker: https://security-tracker.debian.org/tracker/<CVE-ID>/
- Patch tracker: https://tracker.debian.org/pkg/patch
- Database: https://salsa.debian.org/security-tracker-team/security-tracker/tree/master/data
- OpenSUSE
- CVE tracker: https://www.suse.com/security/cve/<CVE-ID>/
Other
- Mitre and NVD links for CVE's
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=<CVE-ID>
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=<CVE-ID>
NVD and Mitre do not necessarily fill their CVE entry immediately after attribution, so it is not always relevant for Arch. The CVE-ID and the "Date Entry Created" fields do not have particular meaning. CVE are attributed by CVE Numbering Authorities (CNA), and each CNA obtain CVE blocks from Mitre when needed/asked, so the CVE ID is not linked to the attribution date. The "Date Entry Created" field often only indicates when the CVE block was given to the CNA, nothing more.
- Linux Weekly News
- LWN provides a daily notice of security updates for various distributions.
- https://lwn.net/headlines/newrss
More
For more resources, please see the OpenWall's Open Source Software Security Wiki.
Team members
The current members of the Arch Security Team are: