Debian Security
Outline
- Work of the Security Team
- Sources of notification
- Processing of problems
- Common Problems
- How to help?
- Summary
Debian Security Team
- Founded 1997
- Developers dedicated to securing Debian
- Officers and Secretaries
- Small team
- Currently a bit too small
- More than 750 advisories
Scope of Debian Security
- Security problems in stable releases
- Verify problems
- Coordination with maintainer
- Coordination with upstream
- Coordination with vendors
- Fix problems
- Release advisory
No Scope of Debian Security
- Security problems on users machines
- Security problems on Debian mirrors
- unstable distribution
- testing distribution
- Installation problems
- Examples, exploits
Relationships and Sources
- Debian Security Audit
- CERT
- vendor-sec
- bugtraq
- Other vendors
- CVE / MITRE
Sources
Pre-Notification / Coordination
- Private information, non-public
- Sensible handling of security problems
- Real bug fixing vs. being the first
- Similar chances for all vendors
- Benefitting from other vendors' work
- Full disclosure vs. immediate disclosure
What is vendor-sec?
- Not well documented in public
- Mailing-List
- Federation of various vendors
- commercial and non-commercial
- Linux, BSD, IRIX, HP-UX
- Celebrities
- Talk about security problems
- Development of corrections
- Coordination / sensible handling
Bug validation
- Understanding the problem
- Building a test case
- Code review
- Code analysis
- Correction
- Testing
Non-issues
- Exploits for user programs
- Problems in unused code
- Problems in unprivileged code
- Bugs in examples
- Non-automatic, non-root programs
security.debian.org
- Private DAK installation
- Private queue
- Public upload directory
- Specific wanna-build databases
- Build log approval
- Immediate update
Security Processing
Common problems
- Buffer overflow, integer overflow
- Format string
- SQL injection
- Missing privilege release
- Infinite loop
- Cross site scripting
- Information disclosure
How to help?
- Report problems comprehensively
- Validate yourself
- Develop a correction
- Only distribute clean patches
- Testing
- Watch security lists
- Debian Security Audit
Summary
- Sources for notification
- vendor-sec
- Full disclosure vs. immediate disclosure
- Security processing
- How to help