SecurityNotification
Ubuntu Security Notification
Existing Ubuntu Security Notices (USNs) are published at http://www.ubuntu.com/usn after following the SecurityTeam/UpdateProcedures.
Requirements
USNs must answer the following questions, in order of decreasing priority, from the point of view of the reader:
- What is this? (header)
- Information about a security issue which affects Ubuntu systems
- Unique identifiers (e.g., advisory ID, external references)
- Does the issue affect me?
- Which packages and versions are affected? (to the extent known)
- Does the issue only pertain to certain non-default configurations of the software involved?
- What is the impact of the vulnerability?
- How would it be exploited? (an example scenario makes it easy for the reader to understand the impact)
- If successfully exploited, what would be the nature of the exposure?
- How can I correct the problem?
- Availability of fixed packages
- Workarounds
If available and appropriate, the following information should also be included (after the above questions have been answered):
- The party who discovered the problem, if it can be determined with reasonable confidence
- Details of the bug (Whether it belongs to a common category of bug (buffer overflow, integer overflow, etc.)
- Details of the fix, if non-obvious
Example
USNs follow a common template:
Subject: [USN-<serial>-<revision>] [Software Name] vulnerabilities =========================================================== Ubuntu Security Notice USN-XXX-Y [Month] [Day], [Year] [source package name] vulnerabilities [CVEs, bug#, etc] =========================================================== A security issue affects the following Ubuntu releases: Ubuntu [VERSION] Ubuntu [VERSION+1] ... This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu [VERSION]: [binary package name] [fixed version] Ubuntu [VERSION+1]: [binary package name] [fixed version] ... In general, a standard system upgrade is sufficient to effect the necessary changes. [Or other instructions...] Details follow: [Person] discovered that [software] [did something incorrectly]. [This could be a problem because ...] (CVE-...) [package checksums etc.]
SecurityNotification (last edited 2009-04-23 21:18:56 by pool-71-114-243-118)