SecurityNotification
Differences between revisions 2 and 3
3164
Comment: remove double title
|
2654
refreshed with current template
|
Deletions are marked like this. | Additions are marked like this. |
Line 2: | Line 2: |
Existing Ubuntu Security Notices (USNs) are published at [http://www.ubuntu.com/usn http://www.ubuntu.com/usn] after following the SecurityUpdateProcedures. |
|
Line 5: | Line 7: |
Ubuntu Security Notices (USNs) must answer the following questions, in order of decreasing priority, from the point of view of the reader: | USNs must answer the following questions, in order of decreasing priority, from the point of view of the reader: |
Line 33: | Line 35: |
USNs follow a common template: | |
Line 34: | Line 37: |
Subject: [USN-<serial>-<revision>] Linux kernel vulnerabilities | Subject: [USN-<serial>-<revision>] [Software Name] vulnerabilities |
Line 36: | Line 39: |
----------------------------------------------------------------- Ubuntu Security Notice EXAMPLE October 22, 2004 |
=========================================================== Ubuntu Security Notice USN-XXX-Y [Month] [Day], [Year] [source package name] vulnerabilities [CVEs, bug#, etc] =========================================================== |
Line 39: | Line 45: |
EXAMPLE Linux kernel vulnerabilities CVE, bug#, URL, etc. ----------------------------------------------------------------- |
A security issue affects the following Ubuntu releases: |
Line 43: | Line 47: |
An EXAMPLE security issue affects the following Ubuntu releases: | Ubuntu [VERSION] Ubuntu [VERSION+1] ... |
Line 45: | Line 51: |
Ubuntu 4.10 (Warty Warthog) | This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. |
Line 47: | Line 54: |
The following EXAMPLE packages are affected: | The problem can be corrected by upgrading your system to the following package versions: |
Line 49: | Line 57: |
linux-source-2.6.8.1 linux-image-2.6.8.1-3-386 linux-image-2.6.8.1-3-686 linux-image-2.6.8.1-3-686-smp linux-image-2.6.8.1-3-k7 linux-image-2.6.8.1-3-k7-smp linux-image-2.6.8.1-3-power3 linux-image-2.6.8.1-3-power3-smp linux-image-2.6.8.1-3-power4 linux-image-2.6.8.1-3-power4-smp linux-image-2.6.8.1-3-powerpc linux-image-2.6.8.1-3-powerpc-smp linux-image-2.6.8.1-3-amd64-k8 linux-image-2.6.8.1-3-amd64-k8-smp linux-image-2.6.8.1-3-amd64-generic linux-image-2.6.8.1-3-amd64-xeon |
Ubuntu [VERSION]: [binary package name] [fixed version] |
Line 66: | Line 60: |
This EXAMPLE vulnerability could allow any user to gain full administrative access to the system (root access). It can be corrected by upgrading the appropriate package(s) to version 2.6.8.1-16. |
Ubuntu [VERSION+1]: [binary package name] [fixed version] ... In general, a standard system upgrade is sufficient to effect the necessary changes. [Or other instructions...] Details follow: [Person] discovered that [software] [did something incorrectly]. [This could be a problem because ...] (CVE-...) |
Line 72: | Line 77: |
== Security update checklist == * Obtain CVE name(s) if not already assigned * If already assigned, verify CVE names against the [http://cve.mitre.org/cve/ CVE database] * Generate an appropriate package version number * Upload package(s) to the security queue * Test the resulting binaries * Run a spelling check * Run amber * Receive amber template * Add details to template, make any necessary edits * Have the advisory proofread by someone else * Mail to ubuntu-security-announce@lists.ubuntu.com |
Ubuntu Security Notification
Existing Ubuntu Security Notices (USNs) are published at [http://www.ubuntu.com/usn http://www.ubuntu.com/usn] after following the SecurityUpdateProcedures.
Requirements
USNs must answer the following questions, in order of decreasing priority, from the point of view of the reader:
- What is this? (header)
- Information about a security issue which affects Ubuntu systems
- Unique identifiers (e.g., advisory ID, external references)
- Does the issue affect me?
- Which packages and versions are affected? (to the extent known)
- Does the issue only pertain to certain non-default configurations of the software involved?
- What is the impact of the vulnerability?
- How would it be exploited? (an example scenario makes it easy for the reader to understand the impact)
- If successfully exploited, what would be the nature of the exposure?
- How can I correct the problem?
- Availability of fixed packages
- Workarounds
If available and appropriate, the following information should also be included (after the above questions have been answered):
- The party who discovered the problem, if it can be determined with reasonable confidence
- Details of the bug (Whether it belongs to a common category of bug (buffer overflow, integer overflow, etc.)
- Details of the fix, if non-obvious
Example
USNs follow a common template:
Subject: [USN-<serial>-<revision>] [Software Name] vulnerabilities =========================================================== Ubuntu Security Notice USN-XXX-Y [Month] [Day], [Year] [source package name] vulnerabilities [CVEs, bug#, etc] =========================================================== A security issue affects the following Ubuntu releases: Ubuntu [VERSION] Ubuntu [VERSION+1] ... This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu [VERSION]: [binary package name] [fixed version] Ubuntu [VERSION+1]: [binary package name] [fixed version] ... In general, a standard system upgrade is sufficient to effect the necessary changes. [Or other instructions...] Details follow: [Person] discovered that [software] [did something incorrectly]. [This could be a problem because ...] (CVE-...) [package checksums etc.]
SecurityNotification (last edited 2009-04-23 21:18:56 by pool-71-114-243-118)