Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Re: linux-distros membership application - Microsoft

Related Vulnerabilities: CVE-2019-3459   CVE-2019-3460  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->

oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->

By Date

By Thread

</form>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Re: linux-distros membership application - Microsoft

<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->

From: Sasha Levin &lt;sashal () kernel org&gt;

Date: Sun, 11 Aug 2019 22:47:51 -0400

<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->

<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
On Thu, Jun 27, 2019 at 04:03:21PM +0200, Solar Designer wrote:
On Wed, Jun 26, 2019 at 10:13:58AM -0400, Sasha Levin wrote:
We understand this need and will be contributing back. Looking at the
list of vacant positions I can suggest the following, but I suspect that
existing list members will have better suggestions.

Technical:

3. Review and/or test the proposed patches and point out potential
issues with them (such as incomplete fixes for the originally reported
issues, additional issues you might notice, and newly introduced bugs),
and inform the list of the work done even if no issues were encountered
- primary: Amazon, backup: vacant

Administrative:

3. Evaluate if the issue (or one of the issues) is effectively already
public (e.g., a fix is committed upstream with a descriptive message)
or/and is low severity and thus the report (or its portion pertaining to
the issue) should be made public right away for one or both of these
reasons, get a few other list members to confirm this understanding, and
if there are no objections then communicate this strong preference to
the reporter - primary: CloudLinux, backup: vacant

If Microsoft volunteers for these, I'd like that to be in "primary" role
at least for the technical task of "3. Review and/or test the proposed
patches ..."  I think Amazon hasn't been doing enough on that front,
especially given the request to "inform the list of the work done even
if no issues were encountered".  Given this request, if this were
seriously worked on, I would have expected such reports from Amazon on
almost every issue handled on linux-distros, but this wasn't the case.

I also would like a distro (maybe Microsoft) to volunteer for Technical:

4. Check if related issues exist in the same piece of software (e.g.,
same bug class common across the software, or other kinds of bugs exist
in its problematic component), and inform the list either way

and Administrative:

4. Evaluate relevance to other parties such as the upstream, other
affected distros (not present on the (sub-)list), and other Open Source
projects, see if the report mentions notifying any of these, communicate
your findings and possible concerns to the reporter and the list, and
stay on top of the resulting discussion until a decision is made on who
else to possibly notify (or not) and any such notifications are in fact
made (with the reporter's approval)

These are completely unclaimed now, but are much needed.

For Technical "4. Check if related issues exist ...", we sometimes get
some helpful for varying distros' package maintainers and such, but this
is not consistent.  For example, recently Takashi Iwai of SUSE helped
with Linux Marvell Wi-Fi driver issues - thanks! - but this is more of
an exception than the rule.

The lack of a volunteer distro for Administrative "4. Evaluate relevance
to other parties ..." came up e.g. here:

"Linux kernel: Bluetooth: two remote infoleaks (CVE-2019-3459, CVE-2019-3460)"
https://www.openwall.com/lists/oss-security/2019/01/11/2

Since Ubuntu took over quite a few tasks (thanks!), I can suggest the
following tasks for Microsoft:

As primary, administrative: "4. Evaluate relevance to other parties such
as the upstream, other affected distros (not present on the (sub-)list),
and other Open Source projects, ...".

As backup, administrative: "3. Evaluate if the issue (or one of the
issues) is effectively already public ...".

I can also offer to act as a liason between linux-distros and
security@k.o now, and MSRC in the future.

--
Thanks,
Sasha

<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->

<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->

By Date

By Thread

Current thread:

Re: linux-distros membership application - Microsoft, (continued)

Re: linux-distros membership application - Microsoft Solar Designer (Jul 06)

Re: linux-distros membership application - Microsoft Sasha Levin (Jul 06)

Re: linux-distros membership application - Microsoft Moritz Muehlenhoff (Jul 07)
Re: linux-distros membership application - Microsoft Sasha Levin (Jul 12)

Re: linux-distros membership application - Microsoft Solar Designer (Jul 08)

Re: linux-distros membership application - Microsoft Georgi Guninski (Jul 07)

Re: linux-distros membership application - Microsoft Solar Designer (Jul 07)
Re: linux-distros membership application - Microsoft David A. Wheeler (Jul 08)

Re: linux-distros membership application - Microsoft Stuart D. Gathman (Jul 08)

Re: linux-distros membership application - Microsoft Kristian Fiskerstrand (Jul 11)

Re: linux-distros membership application - Microsoft Sasha Levin (Aug 11)

Re: linux-distros membership application - Microsoft Solar Designer (Aug 12)

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started