UpdateProcedures

Issues that warrant a security update

We only fix bugs in our stable releases which truly affect overall system security, i. e. which enable an attacker to circumvent the permissions configured on the system, or are a threat to the user's data in any way. Most common examples:

  • Buffer overflow in a server process which allows to crash it (denial of service) and/or to execute attacker provided code (privilege escalation).
  • Insecure temporary file handling which allows race condition and symlink attacks to delete unrelated files with the invoker's privileges.
  • Non-working security-relevant configuration options (e. g. iptables would allow packets which should be blocked, or a server's ACL option does not do the right thing).
  • Less critical bugs (like Denial of Service vulnerabilities in instant messengers or email applications) are also fixed usually, but with lower priority.

Responsibility

The Ubuntu Security team (security@ubuntu.com, Launchpad team ubuntu-security) is responsible for all issues that affect source packages in Ubuntu main and restricted and will work with upstreams (Canonical and other), distributions and developers in providing security fixes to Ubuntu.

The Ubuntu Security team also tracks issues in universe and multiverse and at their discretion may request a sync from Debian to solve vulnerabilities in packages in the current development release. Patches for flaws in packages from universe and multiverse for stable releases or for the development release when a sync from Debian is deemed too intrusive should be prepared by community members.

Preparing an update

Preparing an update requires a lot of effort and attention to detail. Ubuntu has millions of users who expect a very high level of stability in their system. To achieve a high level of quality, the process has be broken down into the following stages:

The MOTU and MOTU Swat developers are available to answer questions and provide assistance in preparing updates. The Ubuntu Security team will process updates from community and provide assistance as needed.

Remember: People can help with any stage of the process, so don't be shy-- get involved!

Releasing an update

Only members of the Ubuntu Security team can publish security updates into the security pocket for a given Ubuntu release. Updates are usually uploaded to and published from the private Ubuntu Security team PPA, though other teams may have their own PPAs that updates may be pulled from.

The Ubuntu Security team publishes updates from the following:

For packages that have a special publication procedure such as the kernel or Mozilla updates, please also consult SecurityTeam/PublicationNotes.

Sponsoring an update

Please review the SponsorshipProcess and the SecurityTeam/SponsorsQueue.

Regressions

In the case of regressions caused by security updates, please follow the SRU regression policy.


CategorySecurityTeam CategoryProcess

SecurityTeam/UpdateProcedures (last edited 2019-09-16 14:57:57 by seth-arnold)