「Arch Security Team」の版間の差分

提供: ArchWiki
ナビゲーションに移動 検索に移動
(英語版から転載)
 
(一部翻訳)
5行目: 5行目:
 
[[pt:Arch Security Team]]
 
[[pt:Arch Security Team]]
 
[[zh-hans:Arch Security Team]]
 
[[zh-hans:Arch Security Team]]
The Arch Security Team is a group of volunteers whose goal is to track security issues with Arch Linux packages. All issues are tracked on the [https://security.archlinux.org/ Arch Linux security tracker]. The team was formerly known as the ''Arch CVE Monitoring Team''.
+
Arch Security Team Arch Linux パッケージのセキュリティ問題を追跡することを目的としたボランティアグループです。全ての問題は [https://security.archlinux.org/ Arch Linux security tracker] で追跡されています。このチームは以前は ''Arch CVE Monitoring Team'' として知られていました。
   
== Mission ==
+
== 目的 ==
   
  +
Arch Security Team の使命は、Arch Linux のセキュリティの向上に貢献することです。
The mission of the Arch Security Team is to contribute to the improvement of the security of Arch Linux.
 
   
The most important duty of the team is to find and track issues assigned a [[wikipedia:Common_Vulnerabilities_and_Exposures|Common Vulnerabilities and Exposure]] (CVE). A CVE is public, it is identified by a unique ID of the form ''CVE-YYYY-number''.
+
チームの最も重要な任務は、[[wikipedia:Common_Vulnerabilities_and_Exposures|Common Vulnerabilities and Exposure]] に割り当てられた問題を発見し追跡することです。(CVE)といいます。CVE は公開されており、''CVE-YYYY-number''という形のユニークな ID で識別される。
   
  +
彼らは ASA (''Arch Linux Security Advisory'') を発行しており、これは Arch ユーザに配布される Arch 固有の警告です。ASA はピアレビューのために tracker にスケジュールされ、公開される前にチームメンバーから2つの承認が必要です。
They publish ASAs (''Arch Linux Security Advisory'') which is an Arch-specific warning disseminated to Arch users. ASAs are scheduled in the tracker for peer-review, and need two acknowledgments from team members before being published.
 
   
The [https://security.archlinux.org/ Arch Linux security tracker] is a platform used by the Arch Security Team to track packages, add CVEs and generate advisory text.
+
[https://security.archlinux.org/ Arch Linux security tracker] Arch Security Team がパッケージの追跡、CVE の追加、アドバイザリーテキストの生成に使用しているプラットフォームです。
   
 
{{Note|
 
{{Note|
* An ''Arch Linux Vulnerability Group'' (AVG) is a group of CVEs related to a set of packages within the same ''pkgbase''.
+
* Arch Linux Vulnerability Group'' (AVG) とは、同じ ''pkgbase'' 内のパッケージ群に関連する CVEs のグループです。
* Packages qualified for an advisory must be part of the ''core'', ''extra'', ''community'' or ''multilib'' repository.
+
* 勧告の対象となるパッケージは ''core'', ''extra'', ''community'', ''multilib'' リポジトリの一部です。
 
}}
 
}}
   

2022年2月6日 (日) 20:51時点における版

Arch Security Team は Arch Linux パッケージのセキュリティ問題を追跡することを目的としたボランティアグループです。全ての問題は Arch Linux security tracker で追跡されています。このチームは以前は Arch CVE Monitoring Team として知られていました。

目的

Arch Security Team の使命は、Arch Linux のセキュリティの向上に貢献することです。

チームの最も重要な任務は、Common Vulnerabilities and Exposure に割り当てられた問題を発見し追跡することです。(CVE)といいます。CVE は公開されており、CVE-YYYY-numberという形のユニークな ID で識別される。

彼らは ASA (Arch Linux Security Advisory) を発行しており、これは Arch ユーザに配布される Arch 固有の警告です。ASA はピアレビューのために tracker にスケジュールされ、公開される前にチームメンバーから2つの承認が必要です。

Arch Linux security tracker は Arch Security Team がパッケージの追跡、CVE の追加、アドバイザリーテキストの生成に使用しているプラットフォームです。

ノート:
  • Arch Linux Vulnerability Group (AVG) とは、同じ pkgbase 内のパッケージ群に関連する CVEs のグループです。
  • 勧告の対象となるパッケージは core, extra, community, multilib リポジトリの一部です。

Contribute

To get involved in the identification of the vulnerabilities, it is recommended to:

  • Follow the #archlinux-security IRC channel. It is the main communication medium for reporting and discussing CVEs, packages affected and first fixed package version.
  • In order to be warned early about new issues, one can monitor the recommended #Mailing lists for new CVEs, along with other sources if required.
  • We encourage volunteers to look over the advisories for mistakes, questions, or comments and report in the IRC channel.
  • Subscribe to the mailing lists arch-security and oss-security.
  • Committing code to the arch-security-tracker (GitHub) project is a great way to contribute to the team.
  • Derivative distributions that rely on Arch Linux package repositories are encouraged to contribute. This helps the security of all the users.

Procedure

The procedure to follow whenever a security vulnerability has been found in a software packaged within the Arch Linux official repositories is the following:

Information sharing and investigation phase

  • Reach out an Arch Security Team member via your preferred channel to ensure the issue has been brought to the attention of the team.
  • In order to substantiate the vulnerability, verify the CVE report against the current package version (including possible patches), and collect as much information as possible on the issue, including via search engines. If you need help to investigate the security issue, ask for advice or support on the IRC channel.

Upstream situation and bug reporting

Two situations may arise:

  • If upstream released a new version that fixes the issue, the Security Team member should flag the package out-of-date.
    • If the package has not been updated after a long delay, a bug report should be filed about the vulnerability.
    • If this is a critical security issue, a bug report must be filed immediately after flagging the package out-of-date.
  • If there is no upstream release available, a bug report must be filed including the patches for mitigation. The following information must be provided in the bug report:
    • Description about the security issue and its impact
    • Links to the CVE-IDs and (upstream) report
    • If no release is available, links to the upstream patches (or attachments) that mitigate the issue

Tracking and publishing

The following tasks must be performed by team members:

  • A team member will create an advisory on the security tracker and add the CVEs for tracking.
  • A team member with access to arch-security will generate an ASA from the tracker and publish it.
ノート: If you have a private bug to report, contact security@archlinux.org. Please note that the address for private bug reporting is security, not arch-security. A private bug is one that is too sensitive to post where anyone can read and exploit it, e.g. vulnerabilities in the Arch Linux infrastructure.

Resources

RSS

National Vulnerability Database (NVD)
All CVE vulnerabilites: https://nvd.nist.gov/download/nvd-rss.xml
All fully analyzed CVE vulnerabilities: https://nvd.nist.gov/download/nvd-rss-analyzed.xml

Mailing lists

oss-sec
Main list dealing with security of free software, a lot of CVE attributions happen here, required if you wish to follow security news.
Info: https://oss-security.openwall.org/wiki/mailing-lists/oss-security
Subscribe: oss-security-subscribe(at)lists.openwall.com
Archive: https://www.openwall.com/lists/oss-security/
BugTraq
A full disclosure moderated mailing list (noisy).
Info: https://www.securityfocus.com/archive/1/description
Subscribe: bugtraq-subscribe(at)securityfocus.com
Full Disclosure
Another full-disclosure mailing-list (noisy).
Info: https://nmap.org/mailman/listinfo/fulldisclosure
Subscribe: full-disclosure-request(at)seclists.org

Also consider following the mailing lists for specific packages, such as LibreOffice, X.org, Puppetlabs, ISC, etc.

Other distributions

Resources of other distributions (to look for CVE, patch, comments etc.):

RedHat and Fedora
Advisories feed: https://bodhi.fedoraproject.org/rss/updates/?type=security
CVE tracker: https://access.redhat.com/security/cve/<CVE-ID>
Bug tracker: https://bugzilla.redhat.com/show_bug.cgi?id=<CVE-ID>
Ubuntu
Advisories feed: https://usn.ubuntu.com/usn/atom.xml
CVE tracker: https://people.canonical.com/~ubuntu-security/cve/?cve=<CVE-ID>
Database: https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master
Debian
CVE tracker: https://security-tracker.debian.org/tracker/<CVE-ID>/
Patch tracker: https://tracker.debian.org/pkg/patch
Database: https://salsa.debian.org/security-tracker-team/security-tracker/tree/master/data
OpenSUSE
CVE tracker: https://www.suse.com/security/cve/<CVE-ID>/

Other

Mitre and NVD links for CVE's
https://cve.mitre.org/cgi-bin/cvename.cgi?name=<CVE-ID>
https://web.nvd.nist.gov/view/vuln/detail?vulnId=<CVE-ID>

NVD and Mitre do not necessarily fill their CVE entry immediately after attribution, so it is not always relevant for Arch. The CVE-ID and the "Date Entry Created" fields do not have particular meaning. CVE are attributed by CVE Numbering Authorities (CNA), and each CNA obtain CVE blocks from Mitre when needed/asked, so the CVE ID is not linked to the attribution date. The "Date Entry Created" field often only indicates when the CVE block was given to the CNA, nothing more.

Linux Weekly News
LWN provides a daily notice of security updates for various distributions.
https://lwn.net/headlines/newrss

More

For more resources, please see the OpenWall's Open Source Software Security Wiki.

Team members

The current members of the Arch Security Team are:

ヒント: Type !pingsec Message to the Arch Security Team in any IRC channel where phrik is present to highlight all current security team members.