SecurityNotification

Ubuntu Security Notification

Existing Ubuntu Security Notices (USNs) are published at http://www.ubuntu.com/usn after following the SecurityTeam/UpdateProcedures.

Requirements

USNs must answer the following questions, in order of decreasing priority, from the point of view of the reader:

  1. What is this? (header)
    1. Information about a security issue which affects Ubuntu systems
    2. Unique identifiers (e.g., advisory ID, external references)
  2. Does the issue affect me?
    1. Which packages and versions are affected? (to the extent known)
    2. Does the issue only pertain to certain non-default configurations of the software involved?
  3. What is the impact of the vulnerability?
    1. How would it be exploited? (an example scenario makes it easy for the reader to understand the impact)
    2. If successfully exploited, what would be the nature of the exposure?
  4. How can I correct the problem?
    1. Availability of fixed packages
    2. Workarounds

If available and appropriate, the following information should also be included (after the above questions have been answered):

  1. The party who discovered the problem, if it can be determined with reasonable confidence
  2. Details of the bug (Whether it belongs to a common category of bug (buffer overflow, integer overflow, etc.)
  3. Details of the fix, if non-obvious

Example

USNs follow a common template: 

    Subject: [USN-<serial>-<revision>] [Software Name] vulnerabilities

    =========================================================== 
    Ubuntu Security Notice USN-XXX-Y      [Month] [Day], [Year]
    [source package name] vulnerabilities
    [CVEs, bug#, etc]
    ===========================================================

    A security issue affects the following Ubuntu releases:

    Ubuntu [VERSION]
    Ubuntu [VERSION+1]
    ...

    This advisory also applies to the corresponding versions of
    Kubuntu, Edubuntu, and Xubuntu.

    The problem can be corrected by upgrading your system to the
    following package versions:

    Ubuntu [VERSION]:
      [binary package name]                    [fixed version]
    
    Ubuntu [VERSION+1]:
      [binary package name]                    [fixed version]
    
    ...
    
    In general, a standard system upgrade is sufficient to effect the
    necessary changes.  [Or other instructions...]

    Details follow:

    [Person] discovered that [software] [did something incorrectly].
    [This could be a problem because ...]
    (CVE-...)


    [package checksums etc.]

SecurityNotification (last edited 2009-04-23 21:18:56 by pool-71-114-243-118)