Mailing List Archive

How to track vulnerabilities
Hi, everybody.

Since there seems to be some confusion on this issue, and confusion
generates debate, and debate (de)generates into flame wars, I thought
maybe I could clear some of this up by explaining how to find out
various information easily. So here goes.

Patches
-------
As described in the Vulnerability Treatment Policy [1], GLSAs are
typically issued once a bug is fixed, not when it is discovered. Please
see the policy for information on the expected delay from the time the
bug is discovered and for when temporary GLSAs are issued (if a fix
is not readily available). Temporary GLSAs describe the bug and offer
any known workarounds. They are also issued if a package cannot be fixed
at this time and has been masked in portage.

This page also lists the mailing lists, Gentoo forum, and official
Gentoo RDF feed which list up-to-date advisories.

Another helpful tool is glsa-check, which checks your installed packages
against issued GLSAs to determine which should be upgraded. Grab your
copy from portage today!

Open Bugs
---------
Advisories are not issued immediately when a bug is opened. However,
all security bugs are entered in Bugzilla under the product "Gentoo
Security," under the "vulnerabilities" component (occasionally, a
suspected vulnerability will be listed under the "audit" component).

In order to receive e-mails tracking these bugs, create a Bugzilla
account if you do not already have one, click on your "preferences"
link, and go to the "Email settings" tab [2].

Under "Users to watch," enter security@gentoo.org. Below, there are two
tables that allow you to finely control which changes you wish to
receive notification about. Note that if you view *all* changes, you
will receive a very high volume of mail (for instance, between Dec 11
and now, I've received just under a thousand e-mails from Bugzilla).

Saved searches are also a convenient option on Bugzilla. You might want
to check 'em out.

I hope this clears up some possible confusion. If anyone has
constructive criticism regarding our policies, as always, feel free to
comment.

Cheers,
Dan

[1] http://www.gentoo.org/security/en/vulnerability-policy.xml
[2] http://bugs.gentoo.org/userprefs.cgi?tab=email
--
Dan Margolis
Gentoo Security/Audit