[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH SECURITY-POLICY 3/9] Deployment with Security Team Permission

To: Ian Jackson <ijackson@xxxxxxxxxxxxxxxxxxxxxx>
From: Ian Campbell <Ian.Campbell@xxxxxxxxxx>
Date: Mon, 19 Jan 2015 12:35:29 +0000
Cc: lars.kurth.xen@xxxxxxxxx, xen-devel@xxxxxxxxxxxxxxxxxxxx, Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>
Delivery-date: Mon, 19 Jan 2015 12:35:56 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

On Fri, 2015-01-16 at 19:52 +0000, Ian Jackson wrote:
> Permitting deployment during embargo seemed to have rough consensus on
> the principle.  We seemed to be converging on the idea that the
> Security Team should explicitly set deployment restrictions for each
> set of patches.
> 
> Signed-off-by: Ian Jackson <ijackson@xxxxxxxxxxxxxxxxxxxxxx>
> Signed-off-by: Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>
> ---
>  security_vulnerability_process.html |   11 +++++++++++
>  1 file changed, 11 insertions(+)
> 
> diff --git a/security_vulnerability_process.html 
> b/security_vulnerability_process.html
> index 010cf76..de5e83e 100644
> --- a/security_vulnerability_process.html
> +++ b/security_vulnerability_process.html
> @@ -212,6 +212,17 @@ following:</p>
>    <li>The assigned XSA number</li>
>    <li>The planned disclosure date</li>
>  </ul>
> +<p>List members may, if (and only if) the Security Team grants
> +permission, deploy fixed versions during the embargo.  Permission for
> +deployment, and any restrictions, will be stated in the embargoed
> +advisory text.</p>

Do you have a corresponding patch to our advisory template to add a
section with an XXX for this?

> +<p>The Security Team will normally permit such deployment, even for
> +systems where VMs are managed or used by non-members of the
> +predisclosure list.  The Security Team will impose deployment
> +restrictions only insofar as it is necessary to prevent the exposure
> +of technicalities (for example, differences in behaviour) which
> +present a significant risk of rediscovery of the vulnerability.  Such
> +situations are expected to be rare.</p>
>  <p><em>NOTE:</em> Prior v2.2 of this policy (25 June 2014) it was
>  permitted to also make available the allocated CVE number. This is no
>  longer permitted in accordance with MITRE policy.</p>



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH SECURITY-POLICY 3/9] Deployment with Security Team Permission
  - From: Ian Jackson

References:
- [Xen-devel] [PATCH SECURITY-POLICY 0/9] Re: Security policy ambiguities - XSA-108 process post-mortem
  - From: Ian Jackson
- [Xen-devel] [PATCH SECURITY-POLICY 1/9] Grammar fix: Remove a comma splice
  - From: Ian Jackson
- [Xen-devel] [PATCH SECURITY-POLICY 3/9] Deployment with Security Team Permission
  - From: Ian Jackson

Prev by Date: Re: [Xen-devel] [Bugfix 0/3] Fix regressions in Xen IRQ management
Next by Date: Re: [Xen-devel] [PATCH SECURITY-POLICY 3/9] Deployment with Security Team Permission
Previous by thread: Re: [Xen-devel] [PATCH SECURITY-POLICY 3/9] Deployment with Security Team Permission
Next by thread: Re: [Xen-devel] [PATCH SECURITY-POLICY 3/9] Deployment with Security Team Permission
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.