[Legacy] Mentoring for vulnerability bug tracking -- kernel, and general

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

(Please forgive me for cross-posting, but I thought I'd post this question
to all the relevant groups I could think of.  Please let me know if I am
committing a cross-posting felony here.  :)  )

I am in the process of mentoring someone to help them learn how to do
vulnerability tracking for Fedora Legacy.  This evening, we were looking
at doing that for the kernels.  We quickly got confused, though, because
we weren't sure how to go about making sure we only report issues into
Bugzilla that would be relevant kernel issues for Fedora Legacy at this
time.

One complicating factor here is that we in Legacy don't necessarily
release kernels in any kind of lock-step with what either Fedora Core or
Red Hat Enterprise Linux does, so the issues we have to fix are a
different subset of issues than what is reported in any given RHSA or
FEDORA release announcement.  And even if we did release kernels in 
lockstep, no doubt there would still be differing CVE's per distro.

(For those of you not familiar with Legacy processes:  we normally put
multiple CVE issues [maybe as many as dozens of CVE's] into a single
bugzilla report for a given .src.rpm component; and we also put multiple
distros in a given bugzilla ticket as well, using a "Version" tag of
"unspecified"  and tracking what distros are being worked on and their
statuses via the use of Status Whiteboard entries.  For more information
about this, you can refer to
<http://fedoraproject.org/wiki/Legacy/StatusWhiteboard>, and the most
recent completed Legacy kernel bug is here in case you're interested:
<https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=157459>.)

I started to suggest to my mentee this method:  Have a look at the latest
release announcements from Fedora Legacy for the kernels that we maintain,
and then look for issues in the usual places (e.g., those resources listed
in <http://fedoraproject.org/wiki/Legacy/VulnerabilityTracking>) that have
come up since we released our latest security-fixed kernels.  That would
provide a list of CVE's to then put in a new Bugzilla ticket or add to an
already-existing ticket that would likely be relevant.  But is this 
enough?

Does this method sound workable to you?  Are we missing something?  Do you
have you have some better ideas how to track kernel vulnerabilities to get
those vulnerabilities properly listed in a Bugzilla ticket to be worked 
on?

A more general question is this:  How do we in Fedora Legacy track 
vulnerabilities and make sure that we are aware of all the relevant 
vulnerabilities for the packages that we maintain, and haven't missed 
something?

The fedora-security-list and Josh Bressers are using audit files to track 
all relevant security vulnerabilities for their sets of packages, which 
are kept in CVS here,
  <http://cvs.fedora.redhat.com/viewcvs/fedora-security/audit/?root=fedora>

but we here in Fedora Legacy haven't started using this kind of tool yet.
Is it time for us to start doing so?  If so, are any of you interested in
forming some kind of vulnerability tracking team and getting started on
such list(s) for the products we maintain?

Thanks much in advance!

	Regards,

	David Eisenstein


[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Coolkey]

  Powered by Linux