FW: Re: Secunia pages ... (from fedora-security-list)

Tue Mar 21 19:24:27 UTC 2006

Hi Legacy Folks,

I thought you all might find the following post by Josh Bressers to the
new Fedora-security-list to be of interest.  It gives some information
about the methodology that the Security Response Team at Red Hat uses in
discerning and triaging security-related bugs.

Do we in Legacy have any security-audit CVE tracking files like Josh
mentions below in Fedora's CVS?

    -David

---------- Forwarded message ----------
From: Josh Bressers <bressers at redhat.com>
To: David Eisenstein <deisenst at gtw.net>
Cc: fedora-security-list at redhat.com,
    Filip Tsachev <filip.tsachev at gmail.com>,
    Rahul Sundaram <sundaram at redhat.com>
Date: Sat, 04 Mar 2006 07:35:53 -0500
Subject: Re: Secunia pages -- publishing wrong and misleading infor-
         mation about security status of Fedora distros?? RE: [Fedora
         Project Wiki] Update of "Security" by JoshBressers (fwd)

> Was noticing one of Josh Bresser's edits to wiki/Security today...  (see
> the forward below).
> 
> If Secunia's information is incorrect and misleading, misrepresenting the
> true security status of Fedora distributions, oughtn't we get in touch
> with Secunia to help coordinate updating their information to make it
> correct and informative?

I would dare to say it's not worth the effort.  The problem becomes who
do you decide to feed information to and who don't you?  There are many
organizations like secunia that try to represent security information to
the public at large.  I think the best way to show describe security
issues to the Fedora community would be to write a script or two to
parse these files:

http://cvs.fedora.redhat.com/viewcvs/fedora-security/audit/fc4?root=fedora&view=markup
http://cvs.fedora.redhat.com/viewcvs/fedora-security/audit/fc5?root=fedora&view=markup

These are where the security response team tracks every public issue
we're aware of that affects Core.

I'm open to suggests and ideas from anyone who wants to parse this file.
One of the problem is how to display this information in a sensible
manner that doesn't overload a normal person.

These files do have a lack of bugzilla ID, as almost 100% of the issues
in FC4 should have a bugzilla entry.  There are certain things we do
with bugzilla to help capture information.  The things in FC5 don't
always as the version upgrade as part of distribution creation fixes
many issues.

Let's look at bug 182416

The first thing you will probably notice is the CVE id is in the
summary.  This makes it very easy to see which issues are which when
we do a bug listing.  This also means you can view the CVE information
here:  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0528

The severity is of course "security".  The "Status Whiteboard" is
possibly the most interesting thing we keep in a bug.  This is also
a field one would want to parse with a security reporting tool.

source=cve,reported=20060202,impact=important,public=20060128

This tells us we found out about this issue when MITRE made not of it in
their database (cve.mitre.org/cve).  It's one of the many many things we
spy on to stay ahead of the wave.

We found the issue on 2006-02-02 (reported).
We have classified the issue as "Important":
http://www.redhat.com/security/updates/classification/

And the issue was known to the public at large on 2006-01-28.

Let me know if there are any questions.

I should probably find some time to put all this into a wiki page.