incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis E. Hamilton" <orc...@apache.org>
Subject ooo-security and securityteam@ OO.o coordination
Date Thu, 13 Oct 2011 16:26:56 GMT
This is an update on arrangements to have a common place by which different 
security teams are able to share and coordinate analysis and resolution of 
potentially-common security vulnerabilities.

The private ooo-security@ incubator.apache.org list is now set up as a 
subscriber to the securityteam@ openoffice.org list.  The main security@ 
apache.org list is automatically a subscriber to ooo-security@ i.a.o, and will 
also see material from securityteam@ OO.o.

This provides a direct channel by which ooo-security@ i.a.o (and security@ 
apache.org) will be informed of sensitive security-related matters being 
reported and discussed in the securityteam@ forum.  This should significantly 
reduce the possibility that any issue that impacts the safety of Apache OOo 
releases goes unrecognized and unreported.  In the event that an issue becomes 
known to ooo-security independently, those will be shared with securityteam@ 
OO.o.

I want to clarify why this coordination is done privately and, for the Apache 
OOo podling, confined within the PPMC.  Premature disclosure of an exploitable 
defect is essentially an open invitation for unscrupulous creation and 
application of exploits.  This means that defects which are identified as 
exploitable are withheld from public issue trackers and even the 
publicly-visible changes to the code base.  No mention of vulnerability and 
exploitation is made in the public operations.  The goal is to have the repair 
identified and the fix (or new release when patches are not provided) on its 
way before disclosing any information about there being an associated 
vulnerability.  (Known, active exploits require emergency measures outside 
this practice, leading to advisories in advance of any repair in some case.)

Apache has extensive experience with the appropriate procedures, and has a 
strong security team, <http://www.apache.org/security/>.  The Apache AOOo 
security team and the PPMC are guided by the practices and procedures 
established by the Apache security team,
<http://www.apache.org/security/committers.html>.

WHAT YOU'LL SEE ABOUT SECURITY ISSUES

In general, only vulnerabilities that are confirmed and that apply to Apache 
AOOo code will be disclosed in any public location such as the ooo-dev and 
ooo-users lists.  Reports will be on user lists, the web site, and the project 
blog, among other locations.

It is typical for there to be a CVE (Common Vulnerabilities and Exposures) 
identification associated with a vulnerability.  These identifiers are managed 
by a naming authority that also provides information for each issued CVE 
identifier.  For example, CVE-2008-2370 is a typical notification related to 
an Apache project,
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2370>.

CVE registrations are not the same as advisories and security-update 
announcements, such as this one from a downstream dependency impacted by 
vulnerability CVE-2008-2370:
<https://rhn.redhat.com/errata/RHSA-2008-0862.html>.
A CVE can be linked to the advisories that reference it, as is the case with 
CVE-2008-2370.

 - Dennis


Mime
View raw message