From patchwork Tue Dec 5 14:16:01 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Siddhesh Poyarekar X-Patchwork-Id: 81420 Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 50D603857BA7 for ; Tue, 5 Dec 2023 14:16:31 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 50D603857BA7 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1701785791; bh=Ms0dtC5/Bd+vyuR/9IZqZX6H85DmvD9NEOLD/l7URwI=; h=From:To:Subject:Date:List-Id:List-Unsubscribe:List-Archive: List-Post:List-Help:List-Subscribe:From; b=q/C1y7R1RiZ+v7okdpDE1Xwbj9oMCdxQEpy+J3cG81o89MRNlyASGMXdHS8ayA08h Y8TPZA1x0AIo31+aDfweU2nNaBqdbSXKH86gz/cY8Qf6ZcZ2eK+rdZgO1ihXGoiKTc y0ppD3kwrxrDhjzq0TfH3gLJYrknHwRD29+CEJ0c= X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from beige.elm.relay.mailchannels.net (beige.elm.relay.mailchannels.net [23.83.212.16]) by sourceware.org (Postfix) with ESMTPS id 758D03858C60 for ; Tue, 5 Dec 2023 14:16:08 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 758D03858C60 Authentication-Results: sourceware.org; dmarc=fail (p=none dis=none) header.from=sourceware.org Authentication-Results: sourceware.org; spf=fail smtp.mailfrom=sourceware.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 758D03858C60 Authentication-Results: server2.sourceware.org; arc=pass smtp.remote-ip=23.83.212.16 ARC-Seal: i=2; a=rsa-sha256; d=sourceware.org; s=key; t=1701785770; cv=pass; b=Mt2NQhAEjdasvUyjsxGu1wsP9LhujiunEmWPzhFr7J++A2TaPhHZKNk7Qn7vLyJtS3ZNb0FmTYCRGtj2BdLGNAc1P/iqDak4LzD6MUm3/Ro2/pupoX0gL2HGYdChaNsqaahErv0lcPC1c8ssVR39iRoCmPGZ1D3aa9okxsqBlCc= ARC-Message-Signature: i=2; a=rsa-sha256; d=sourceware.org; s=key; t=1701785770; c=relaxed/simple; bh=ISWzYFaSZTLeWYqXFfLbxdcIaul+4PfEbOO3OiICcaw=; h=From:To:Subject:Date:Message-ID:MIME-Version; b=WEmHCwL6JbleevpLuM7MXTaIJBNEN+DYrs7kwUQ0i/nt0AP7jgynC+rZDdp5VINpwN9iNOfF6pSx0YHruW/qPMvVjf5MmaYkDm9EeWONbaYEEo9HVdugbuhc2P9x0AgxCz6qviQGzMYvWjmTBwCg/XQZWjS0Vj37YTEBtVXF7Qk= ARC-Authentication-Results: i=2; server2.sourceware.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 22322824EA for ; Tue, 5 Dec 2023 14:16:07 +0000 (UTC) Received: from pdx1-sub0-mail-a219.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 8E472826CF for ; Tue, 5 Dec 2023 14:16:06 +0000 (UTC) ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1701785766; a=rsa-sha256; cv=none; b=sncI1MvzGOnQQTSqTuWQCxV2W44qwmx9FYcYLcXZPh+sVmcw1+bFxS8fuXjv1UbKpwTVG/ 7NhD4DCgctTiM+VCrLLTvyl2EBUWWIGPWZSt1FgobsYHol/azJRQCcvNdqqBlRDSaNrpcO UGESmI2s29YOZtfdweyOeXcQZEqgWjbJCKj6EEd3PT/+blrPmITbj7d/+FMh2hd404RHgy 5Z1OvAJi9yovMmczZCWOHT9sGExCW2zrI++qaF7RnvVRjQ7pQ6vzRqqhH9cIrPn4KN8ZKf z7X3Yl/xBfhwYhO8XPU8nFwiUbRv7lQJSZmrtmDkDF4sJTcgYGbP2FOx4+HrDQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1701785766; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=Ms0dtC5/Bd+vyuR/9IZqZX6H85DmvD9NEOLD/l7URwI=; b=ogtj1rIPk9sjJkIqm3iS/DEo7HTySjBVoTK/iu3KkZX8qDi+H7pLaAA2WRUsHvdY8W4Apl /y8C/lHJA1Ym9KS6cyIRlG1lXTIZYmV6Fy7qwSkjR/avJWpXsAmAP5vdJqVrEwZUnMlWEy 0CzEEBe32eW8NhxK3TFZ7JbcJYM0m2yT3HG6Iof36WH52pSOD4Hfz3UaqEHYI6P5r1NiKL 0uS7hbgeLCGf0txC2mJQSUAfjsCIczTqPyPV4FcaVknDi93HCYccXhgSQBhyMIbk+X4G5C QSt8Tz6PzyR8Qbah+SBfo5pLbvxp7zue+17JElaPUbax78MtnebY/GBzA5+qZQ== ARC-Authentication-Results: i=1; rspamd-696ff67dc8-7xhck; auth=pass smtp.auth=dreamhost smtp.mailfrom=siddhesh@sourceware.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org X-MC-Relay: Neutral X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org X-MailChannels-Auth-Id: dreamhost X-Share-Tank: 4df729d159604462_1701785766967_750803056 X-MC-Loop-Signature: 1701785766967:1885476048 X-MC-Ingress-Time: 1701785766967 Received: from pdx1-sub0-mail-a219.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.107.179.209 (trex/6.9.2); Tue, 05 Dec 2023 14:16:06 +0000 Received: from fedora.redhat.com (bras-vprn-toroon4834w-lp130-02-142-113-138-136.dsl.bell.ca [142.113.138.136]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: siddhesh@gotplt.org) by pdx1-sub0-mail-a219.dreamhost.com (Postfix) with ESMTPSA id 4Sl2dL0t3tz46 for ; Tue, 5 Dec 2023 06:16:06 -0800 (PST) From: Siddhesh Poyarekar To: libc-alpha@sourceware.org Subject: [committed] Adapt the security policy for the security page Date: Tue, 5 Dec 2023 09:16:01 -0500 Message-ID: <20231205141601.207255-1-siddhesh@sourceware.org> X-Mailer: git-send-email 2.41.0 MIME-Version: 1.0 X-Spam-Status: No, score=-1172.2 required=5.0 tests=BAYES_00, GIT_PATCH_0, KAM_DMARC_NONE, KAM_DMARC_STATUS, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_SOFTFAIL, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces+patchwork=sourceware.org@sourceware.org Call the document a "Security Policy" to disambiguate it from the security *process* documented in the security page. Also, point to the security page for bug reporting and CVE assignment. Signed-off-by: Siddhesh Poyarekar --- SECURITY.md | 61 ++++++++++++----------------------------------------- 1 file changed, 14 insertions(+), 47 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index a5f679f69b..e0f68f1ecb 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,9 +1,9 @@ -# The GNU C Library Security Process +# The GNU C Library Security Policy -This document describes the process followed by the GNU C Library maintainers +This document describes the policy followed by the GNU C Library maintainers to handle bugs that may have a security impact. This includes determining if a bug has a security impact, reporting such bugs to the community and handling -such bugs all the way to resolution. This process may evolve over time, so if +such bugs all the way to resolution. This policy may evolve over time, so if you're reading this from a release tarball, be sure to check the latest copy of the [SECURITY.md in the repository](https://sourceware.org/git/?p=glibc.git;a=blob;f=SECURITY.md), @@ -117,40 +117,13 @@ security vulnerability in itself. By their nature, these countermeasures are based on heuristics and will never offer complete protection, so the original vulnerability needs to be fixed anyway. -## Reporting private security bugs +## Reporting security bugs -**IMPORTANT: All bugs reported in Bugzilla are public.** - -As a rule of thumb, security vulnerabilities which are exposed over the network -or can be used for local privilege escalation (through existing applications, -not synthetic test cases) should be reported privately. We expect that such -critical security bugs are rare, and that most security bugs can be reported in -Bugzilla, thus making them public immediately. If in doubt, you can file a -private bug, as explained in the next paragraph. - -If you want to report a _private_ security bug that is not immediately -public, please contact _one_ of our downstream distributions with security -teams. The follow teams have volunteered to handle such bugs: - -* Debian: security@debian.org -* Red Hat: secalert@redhat.com -* SUSE: security@suse.de - -Please report the bug to _just one_ of these teams. It will be shared with -other teams as necessary. - -The team you contacted will take care of details such as vulnerability rating -and [CVE assignment](http://cve.mitre.org/about/). It is likely that the team -will ask to file a public bug because the issue is sufficiently minor and does -not warrant an embargo. An embargo is not a requirement for being credited -with the discovery of a security vulnerability. - -## Reporting public security bugs - -We expect that critical security bugs are rare, and that most security bugs can -be reported in Bugzilla, thus making them public immediately. When reporting -public security bugs the reporter should provide rationale for their choice of -public disclosure. +The process to report security bugs is documented on the glibc [security +page](https://sourceware.org/glibc/security.html). In general, most security +bugs may be reported publicly in the [glibc +bugzilla](https://sourceware.org/glibc/bugs.html), but if in doubt, please feel +free to report security issues privately first. ## Triaging security bugs @@ -196,14 +169,8 @@ the bug, the fix, or the mailing list discussions. ## CVE assignment -Security bugs flagged with `security+` should have [CVE identifiers](http://cve.mitre.org/about/). - -For bugs which are public (thus all bugs in Bugzilla), CVE assignment has to -happen through the [oss-security mailing -list](http://oss-security.openwall.org/wiki/mailing-lists/oss-security). -(Downstreams will eventually request CVE assignment through their public -Bugzilla monitoring processes.) - -For initially private security bugs, CVEs will be assigned as needed by the -downstream security teams. Once a public bug is filed, the name should be -included in Bugzilla. +Security bugs flagged with `security+` should have [CVE +identifiers](http://cve.mitre.org/about/). Please reach out to the glibc +security team using the documented [security +process](https://sourceware.org/glibc/security.html) and they work on getting a +CVE number.