1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
|
<?xml version='1.0' encoding="UTF-8"?>
<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
<guide link="/security/en/bug-searching.xml">
<title>Tips for searching and filtering Security bugs</title>
<author title="Author">
<mail link="klieber@gentoo.org">Kurt Lieber</mail>
</author>
<author title="Author">
<mail link="rbu@gentoo.org">Robert Buchholz</mail>
</author>
<abstract>
This document gives tips and hints for helping filter security-related bugzilla bugs.
</abstract>
<license/>
<version>1.2</version>
<date>2009-04-14</date>
<chapter>
<title>Bug Searching</title>
<section>
<title>All Security Bugs</title>
<body>
<p>
For identifying all security-related bugs, use the Bugzilla <uri link="https://bugs.gentoo.org/query.cgi">query</uri> page and set the following fields:
</p>
<ul>
<li><b>Product:</b> select "Gentoo Security"</li>
<li><b>Status:</b> set this to the type of bug you want to search for (i.e. closed bugs, open bugs, etc.)</li>
</ul>
<p>
This will give you a list of all security bugs in our system (or at least the ones that are properly assigned). You can set the query to only display Vulnerabilities, Kernel issues, or other subsets of Security bugs by setting the <b>Component</b>
</p>
</body>
</section>
<section>
<title>"Mark stable" Arch Bugs</title>
<body>
<p>
When a package has had a security patch applied, it typically needs to be tested before being marked stable on affected architectures. To identify all bugs where a particular arch needs to mark a package stable, use the <uri link="https://bugs.gentoo.org/query.cgi">query</uri> page and set the following fields:
</p>
<ul>
<li><b>Product:</b> select "Gentoo Security"</li>
<li><b>Status:</b> set this to "New", "Assigned" and "Reopened" (i.e. don't search for bugs that are closed)</li>
<li><b>Email and Numbering:</b> Any of: "CC list member" should be set to "contains <arch>@gentoo.org"</li>
</ul>
<p>
When a package gets patched and requires testing, the security team will CC all relevant arches on that particular bug and request that they test and mark the package as stable on their architecture. Thus, by using the search criteria described above, you'll be able to easily see what bugs require attention for a particular arch.
</p>
<impo>To make this report effective, it's very important that arch teams remember to remove themselves from the CC list once they have stabilized a package.</impo>
<note>For unsupported arches, bugs may be closed without the package being marked stable on that particular architecture. Thus, developers for these architectures may wish to include closed bugs in their queries. (For an explanation of "supported" vs. "unsupported" architectures, please see the <uri link="/security/en/vulnerability-policy.xml">Vulnerability Treatment Policy</uri>.)</note>
<p>
Architecture Security Liaisons will need additional queries to catch bugs that require their participation. Those bugs could be for instance <c>SEMI-PUBLIC</c> ranked bugs that need to be marked stable in the tree, or <c>CONFIDENTIAL</c> bugs that have prestable testing in Bugzilla only. To get a list of these bugs, use the <uri link="https://bugs.gentoo.org/query.cgi">query</uri> page and set the following fields:
</p>
<ul>
<li><b>Product:</b> select "Gentoo Security"</li>
<li><b>Status:</b> set this to "New", "Assigned" and "Reopened" (i.e. don't search for bugs that are closed)</li>
<li><b>Email and Numbering:</b> Any of: "CC list member" should be set to "contains <login>@gentoo.org" where <login> is the Gentoo username of the Liaison</li>
<li><b>Advanced Searching Using Boolean Charts:</b> "Group" should be set to "is equal to" and the input field should read "Security".</li>
</ul>
</body>
</section>
<section>
<title>Bugzilla queries that might be helpful</title>
<body>
<p>
Gentoo Security Team members and Padawans might find these queries helpful. Except from false positives, bugs listed in these queries need attention from the Security Team.
</p>
<ul>
<li><uri link="https://bugs.gentoo.org/buglist.cgi?query_format=advanced&short_desc_type=allwordssubstr&short_desc=&product=Gentoo+Security&component=Auditing&component=Default+Configs&component=GLSA+Errors&component=Kernel&component=Runpath+Issues&component=Vulnerabilities&long_desc_type=substring&long_desc=&bug_file_loc_type=allwordssubstr&bug_file_loc=&status_whiteboard_type=allwordssubstr&status_whiteboard=stable&keywords_type=allwords&keywords=&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&emailtype1=regexp&email1=&emailassigned_to2=1&emailreporter2=1&emailcc2=1&emailtype2=substring&email2=&bugidtype=include&bug_id=&votes=&chfieldfrom=&chfieldto=Now&chfieldvalue=&cmdtype=doit&order=Reuse+same+sort+as+last+time&query_based_on=stale+stable&negate0=1&field0-0-0=cc&type0-0-0=substring&value0-0-0=amd64%40gentoo.org&negate1=1&field1-0-0=cc&type1-0-0=substring&value1-0-0=x86%40gentoo.org&negate2=1&field2-0-0=cc&type2-0-0=substring&value2-0-0=ppc%40gentoo.org&negate3=1&field3-0-0=cc&type3-0-0=substring&value3-0-0=sparc%40gentoo.org&negate4=1&field4-0-0=cc&type4-0-0=substring&value4-0-0=alpha%40gentoo.org&negate5=1&field5-0-0=cc&type5-0-0=substring&value5-0-0=hppa%40gentoo.org&negate6=1&field6-0-0=cc&type6-0-0=substring&value6-0-0=ppc64%40gentoo.org">Stale stable</uri>, display all open bugs that have "[stable]" in Whiteboard, but no arches in CC.</li>
<li><uri link="https://bugs.gentoo.org/buglist.cgi?query_format=advanced&short_desc_type=allwordssubstr&short_desc=&product=Gentoo+Security&long_desc_type=substring&long_desc=&bug_file_loc_type=allwordssubstr&bug_file_loc=&status_whiteboard_type=allwordssubstr&status_whiteboard=glsa%3F&keywords_type=allwords&keywords=&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&emailassigned_to1=1&emailtype1=substring&email1=&emailassigned_to2=1&emailreporter2=1&emailcc2=1&emailtype2=substring&email2=&bugidtype=include&bug_id=&votes=&chfieldfrom=&chfieldto=Now&chfieldvalue=&cmdtype=doit&order=Reuse+same+sort+as+last+time&query_based_on=glsa%3F&field0-0-0=noop&type0-0-0=noop&value0-0-0=">GLSA vote</uri>, list of bugs that are fixed in the tree, bug have no GLSA decision yet.</li>
<li><uri link="https://bugs.gentoo.org/buglist.cgi?query_format=advanced&short_desc_type=allwordssubstr&short_desc=&product=Gentoo+Security&component=Auditing&component=Vulnerabilities&long_desc_type=substring&long_desc=&bug_file_loc_type=allwordssubstr&bug_file_loc=&status_whiteboard_type=notregexp&status_whiteboard=ebuild|upstream|glsa|masked|stable&keywords_type=nowords&keywords=tracker&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&emailassigned_to1=1&emailtype1=substring&email1=&emailassigned_to2=1&emailreporter2=1&emailcc2=1&emailtype2=substring&email2=&bugidtype=include&bug_id=&votes=&chfieldfrom=&chfieldto=Now&chfieldvalue=&cmdtype=doit&order=Reuse+same+sort+as+last+time&query_based_on=unhandled&field0-0-0=noop&type0-0-0=noop&value0-0-0=">Unhandled bugs</uri>, bugs that are in no known Whiteboard state.</li>
<li><uri link="https://bugs.gentoo.org/buglist.cgi?query_format=advanced&short_desc_type=notregexp&short_desc=CVE&product=Gentoo+Security&component=Auditing&component=Default+Configs&component=GLSA+Errors&component=Kernel&component=Runpath+Issues&component=Vulnerabilities&long_desc_type=substring&long_desc=&bug_file_loc_type=allwordssubstr&bug_file_loc=&status_whiteboard_type=allwordssubstr&status_whiteboard=&keywords_type=nowords&keywords=Tracker&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&emailassigned_to1=1&emailtype1=substring&email1=&emailassigned_to2=1&emailreporter2=1&emailcc2=1&emailtype2=substring&email2=&bugidtype=include&bug_id=&votes=&chfieldfrom=&chfieldto=Now&chfieldvalue=&cmdtype=doit&order=Reuse+same+sort+as+last+time&query_based_on=no-cve&field0-0-0=noop&type0-0-0=noop&value0-0-0=">No CVE</uri>, bugs that carry no CVE identifier in their title.</li>
</ul>
</body>
</section>
</chapter>
</guide>
|
GitWeb