UpdateProcedures

Differences between revisions 1 and 97 (spanning 96 versions)
Revision 1 as of 2005-05-28 20:24:11
Size: 5031
Editor: adsl-213-190-44-43
Comment: imported from the old wiki
Revision 97 as of 2009-03-17 22:17:18
Size: 15014
Editor: pool-71-114-228-211
Comment: add mailing list archive link
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
= SecurityUpdateProcedures =

= Ubuntu security updates =		 ||<tablestyle="float:right; font-size: 0.9em; width:30%; background:#F1F1ED; background-repeat: no-repeat; background-position: 98% 0.5ex; margin: 0 0 1em 1em; padding: 0.5em;"><<TableOfContents>>||
Line 7: Line 5:
We only fix bugs in our stable releases which truly affect overall system security, i. e. which enable an attacker to circumvent the permissions configured on the system. Most common examples: We only fix bugs in our stable releases which truly affect overall system security, i. e. which enable an attacker to circumvent the permissions configured on the system, or are a threat to the user's data in any way. Most common examples:
Line 9: Line 7:
 * buffer overflow in a server process which allows to crash it (denial of service) and/or to execute attacker provided code (privilege escalation)
 * insecure temporary file handling which allows race condition and symlink attacks to delete unrelated files with the invoker's privileges
 * non-working security-relevant configuration options (e. g. iptables would allow packets which should be blocked, or a server's ACL option does not do the right thing)		  * Buffer overflow in a server process which allows to crash it (denial of service) and/or to execute attacker provided code (privilege escalation).
 * Insecure temporary file handling which allows race condition and symlink attacks to delete unrelated files with the invoker's privileges.
 * Non-working security-relevant configuration options (e. g. iptables would allow packets which should be blocked, or a server's ACL option does not do the right thing).
 * Less critical bugs (like Denial of Service vulnerabilities in instant messengers or email applications) are also fixed usually, but with lower priority.
Line 13: Line 12:
== Responsibility ==

The Ubuntu security team (security@ubuntu.com, Launchpad team [[https://launchpad.net/people/ubuntu-security|ubuntu-security]]) is responsible for all issues that affect source packages in Ubuntu main and restricted. Usually timely updates are provided.

The Ubuntu security team also tracks issues in universe and multiverse. It aims to solve vulnerabilities in the current development release by requesting syncs from Debian. Due to lack of manpower, flaws in stable releases and Ubuntu-modified packages are not fixed by `ubuntu-security`, but the team will provide assistance in releasing updates which are prepared by other developers.

<<Anchor(Prepare)>>
Line 15: Line 21:
 0. Collect as much information about the vulnerability as possible. Use the [[http://cve.mitre.org/cve|CVE database]], the [[http://www.securityfocus.com/archive/1|BugTraq]] and [[https://lists.grok.org.uk/mailman/listinfo/full-disclosure|full-disclosure mailing list]] ([[http://lists.grok.org.uk/pipermail/full-disclosure/|archive]]), the [[http://bugs.debian.org|Debian BTS]], upstream bug tracking system, upstream revision control systems, and any other source to collect CAN/CVE numbers, causes, impacts, patches, and possible workarounds.
 0. Prepare an [[UbuntuDevelopment#Packaging|updated package]] based on the appropriate released source package or the last security update.
  * Make only the minimum changes necessary to fix the bug. This is crucial both for the review process and to avoid introducing bugs or unexpected behavioural changes.
   * In the rare cases when a security update must include a major version update, it should, if possible, go to -proposed first for testing. Any upload by a security team member to -proposed for a security vulnerability will get accepted immediately without ack from ubuntu-sru (similar to how regular security fixes being installed into -updates happen without ack). '''IMPORTANT:''' An update that first goes through -proposed '''should not''' simply be pocket copied to -updates or -security. It should instead be version bumped with a no change rebuild in the -security queue (this is to avoid dependencies that are only in -updates not being satisfiable when only -security is enabled). There are cases where it may be acceptable to do a pocket copy, but it must be shown that people without -updates installed won't be adversely effected.
  * Prefer packaging the changes as [[PackagingGuide/PatchSystems|proper patches]]. When the patch system supports it, please follow [[UbuntuDevelopment/PatchTaggingGuidelines|PatchTaggingGuidelines]] and include as much information as possible. If the package does not support patch tagging, please include this information in the changelog (see below for changelog formatting).
  * Update the [[DebianMaintainerField|Maintainer field]] only if working on Feisty or newer.
 0. Properly test that the package builds and still works. You can refer to [[http://bazaar.launchpad.net/~ubuntu-bugcontrol/qa-regression-testing/master/files|QA Regression Testing]] for scripts and techniques on testing packages.
  * If possible, use publicly available exploits and test cases to verify that the bug is fixed
  * In all cases, verify that the package still functions properly
 0. Determine the version number to be used for the package. This requires some care, because it must be newer than the version being patched, but earlier than any version in the development branch. In general, you should add "0.1" to the Ubuntu revision, similar to Debian's source NMU version numbers. In the case where two Ubuntu releases have the same version number for the package, append the appropriate Ubuntu release version followed by a '.1'. In the case where there is an unofficial version in -proposed, base your changes on the non-proposed version like usual, but use a version number higher than the one in -proposed (after USN publication, a note should be added to the -proposed bug saying they need to use the new security upload). Version examples:
  {{{
============================ ===================
''Previous version'' ''Security update''
2.0-2 2.0-2ubuntu0.1
2.0-2ubuntu2 2.0-2ubuntu2.1
2.0-2ubuntu2.1 2.0-2ubuntu2.2
2.0-2build1 2.0-2ubuntu0.1
2.0 2.0-0ubuntu0.1
2.0-2 in two releases 2.0-2ubuntu0.5.04.1 and 2.0-2ubuntu0.5.10.1
2.0-2ubuntu1 in two releases 2.0-2ubuntu1.5.04.1 and 2.0-2ubuntu1.5.10.1
============================ ===================
}}}
 0. Create an appropriate changelog entry with a verbose description of the changes and CVE/CAN and other bug number references. Set the distribution '''[release]-security''', e.g. '''dapper-security''' or '''edgy-security''', and use a version number that indicates a security update. (Note that "urgency" is not used in Ubuntu, so it should just remain "low".) If there is a corresponding LaunchPad bug open for the issue, include a {{{(LP: #...)}}} section to auto-close the bug.
  '''Template:'''
  {{{
[package] ([version]) [release]-security; urgency=low
Line 16: Line 48:
 1. Collect as much information about the vulnerability as possible. Use the [http://cve.mitre.org/cve CVE database], the [http://www.securityfocus.com/archive/1 BugTraq] and [http://lists.netsys.com/mailman/listinfo/full-disclosure full-disclosure mailing list] ([http://lists.netsys.com/pipermail/full-disclosure/ archive]), the [http://bugs.debian.org Debian BTS], upstream bug tracking system, upstream revision control systems, and any other source to collect CAN/CVE numbers, causes, impacts, patches, and possible workarounds.
 2. Prepare an updated package based on the appropriate released source package or the last security update.

 * Make only the minimum changes necessary to fix the bug. This is crucial both for the review process and to avoid introducing bugs or unexpected behavioural changes
 * Prefer packaging the changes as proper patches

 3. Properly test that the package builds and still works

 * If possible, use publicly available exploits and test cases to verify that the bug is fixed
 * In all cases, verify that the package still functions properly

 4. Determine the version number to be used for the package. This requires some care, because it must be newer than the version being patched, but earlier than any version in the development branch. In general, you should add "0.1" to the Ubuntu revision, similar to Debian's source NMU version numbers:

{{{
==================== ===================
''Previous version'' ''Security update''
2.0-2 2.0-2ubuntu0.1
2.0-2ubuntu2 2.0-2ubuntu2.1
2.0-2ubuntu2.1 2.0-2ubuntu2.2
2.0 2.0-0ubuntu0.1
==================== ===================		  * SECURITY UPDATE: [how the bad guys could get you] (LP: #num).
   - changed/or/added/file1: [how it was fixed], [thanks to original author]
   - changed/or/added/file2: [how it was fixed], [thanks to original author]
   - http://path/to/patch/source/when/this/url/is/not/in/the/new/debian/patch
   - CVE-YYYY-NNNN
 * ...
Line 39: Line 56:
 5. Create an appropriate changelog entry with a verbose description of the changes and CVE/CAN and other bug number references. Set the distribution to '''warty-security''' (or '''hoary-security''' or whatever) and use a version number that indicates a security update.   '''Examples:'''
  {{{
ruby1.8 (1.8.4-1ubuntu1.6) dapper-security; urgency=low
Line 41: Line 60:
'''Real-world example:'''   * SECURITY UPDATE: denial of service via resource exhaustion in the REXML
    module (LP: #261459)
    - debian/patches/917_CVE-2008-3790.patch: adjust rexml/document.rb and
      rexml/entity.rb to use expansion limits. Based on upstream patch.
    - CVE-2008-3790
  * SECURITY UPDATE: integer overflow in rb_ary_fill may cause denial of
    service (LP: #246818)
    - debian/patches/918_CVE-2008-2376.patch: adjust array.c to properly
      check argument length. Based on upstream patch.
    - CVE-2008-2376
}}}
  {{{
mplayer (2:1.0~rc1-0ubuntu13.3) gutsy-security; urgency=low
Line 43: Line 74:
{{{
    groff (1.18.1.1-1ubuntu0.1) warty-security; urgency=high

     * SECURITY UPDATE: fix insecure temporary file creation
     * contrib/groffer/groffer.sh: use mktemp -d to securely create temporary
       directory; originally, a process id based approach was used (predictable,
       vulnerable to race conditions) and the directory was allowed to exist
       previously (vulnerable to overwrite user files)
     * References:
       CAN-2004-0969
       http://bugs.debian.org/278265		   * SECURITY UPDATE: Multiple integer underflows in MPlayer 1.0_rc2 and
    earlier allow remote attackers to cause a denial of service
    (process termination) and possibly execute arbitrary code via a
    crafted video file that causes the stream_read function to read or
    write arbitrary memory. (LP: #279030)
    - libmpdemux/demux_real.c: Address various integer underflows. Patch from
      oCert.org
    - http://svn.mplayerhq.hu/mplayer/trunk/libmpdemux/demux_real.c?r1=27314&r2=27675
    - CVE-2008-3827
Line 55: Line 84:

 6. Generate a debdiff against the previous package version, read it to verify that you only did minimal changes and that the changes are indeed correct. Publish the debdiff in Ubuntu's bug database for inspection.
 7. Updates prepared directly by the security team should be peer-reviewed. Updates prepared by others will be peer-reviewed by a security team member.
 8. Send a notification to the Ubuntu security team (security@ubuntulinux.org) with a reference to the bug where the debdiff is filed. The security team will upload it at the appropriate time.
 9. If Debian does not yet have a fix, send the package interdiff to the Debian BTS (create a new bug if necessary), CC'ing security@debian.org
 10. Try to write an appropriate "Details" section for a SecurityNotification.		  0. Generate a debdiff against the previous package version, read it to verify that you only did minimal changes and that the changes are indeed correct.
 0. Publish the debdiff in Launchpad for inspection, set the status of the bug to 'In Progress' and make sure that 'ubuntu-security' is subscribed to the bug.
 0. Please indicate the testing performed. Testing might include (but is not limited to) build tests, test suites, PoC, ABI changes, and testing the patched code so that it introduces no regressions. For more information on testing, please see [[https://launchpad.net/qa-regression-testing|QA Regression Testing]].
 0. If not present, please add CVE references to the Launchpad bug using the 'Link to CVE' functionality in Launchpad
 0. Updates prepared directly by the security team should be peer-reviewed. Updates prepared by others will be peer-reviewed by a security team member.
 0. For input on patches, send a note to the MOTU mailing list ([[http://lists.ubuntu.com/mailman/listinfo/ubuntu-motu|ubuntu-motu@lists.ubuntu.com]]) with a reference to the bug where the debdiff is filed. The security team will upload it at the appropriate time.
 0. If Debian does not yet have a fix, send the package interdiff to the Debian BTS by following [[https://wiki.ubuntu.com/Debian/Bugs|Debian/Bugs]] and [[https://wiki.ubuntu.com/Debian/Usertagging|Debian/Usertagging]] (if you use `submittodebian`, it will take care of all that for you), CC'ing security@debian.org, and adding the Debian bug to the Launchpad bug by using the 'Also affects distribution' functionality in Launchpad.
 0. If the package is in "main" or "restricted", try to write an appropriate "Details" section for an Ubuntu SecurityNotification.
Line 65: Line 96:
    1. Notification about failed builds should be automatically sent to security@ubuntulinux.org.
 2. Run ''helena'' to display the pending packages.
 3. The finished builds appear in ''jackass:/srv/ftp.no-name-yet.com/queue/accepted/''. ''cd'' to this directory.
 4. Run ''amber 42-1 yourpackage*.changes'' to publish the source package and all source debs to the archive and generate a template SecurityNotification for USN-42-1. If you uploaded several versions of the package, make sure to amber them all, otherwise they will stay in the queue. Optionally append option ''-n'' for a dry-run.
 5. The template SecurityNotification will be sent to security@ubuntulinux.org
 6. Fill the template, have it proofread by somebody and send it to ubuntu-security-announce@lists.ubuntu.com; CC bugtraq@securityfocus.com and full-disclosure@lists.netsys.com.
=== Soyuz ===

==== Local Configuration ====

 0. Make sure {{{~/.ubuntu-cve-tracker.conf}}} is fully configured (see the u-c-t README), and set the path to the ubuntu-cve-tracker bzr tree check-out: {{{UCT=/path/to/ubuntu-cve-tracker}}}
 0. Set up {{{~/.dput.cf}}} with the appropriate Security PPA upload entries:
   {{{
[security-dapper]
fqdn = ppa.launchpad.net
incoming = ~ubuntu-security/ubuntu/dapper
login = anonymous

[security-gutsy]
fqdn = ppa.launchpad.net
incoming = ~ubuntu-security/ubuntu/gutsy
login = anonymous

[security-hardy]
fqdn = ppa.launchpad.net
incoming = ~ubuntu-security/ubuntu/hardy
login = anonymous

[security-intrepid]
fqdn = ppa.launchpad.net
incoming = ~ubuntu-security/ubuntu/intrepid
login = anonymous
}}}

==== Upload/Build/Publish ====

 0. Set the name of the source package being updated: {{{export SRCPKG="srcpkg1 srcpkg2..."}}}
 0. Upload the updated source packages via dput to each release's Security PPA target. Notification about failed builds should be automatically sent to `security@ubuntu.com`.
 0. Wait for the finished builds on all supported architectures to finish and appear at the [[https://launchpad.net/~ubuntu-security/+archive|Ubuntu Security PPA]]: `$UCT/scripts/sis-changes --action check-build $SRCPKG`
 0. Request [[ArchiveAdministration#Unembargoing security uploads|unembargoing]] from a [[https://launchpad.net/~canonical-losas/+members|LOSA]] in #is or cprov (ssh forced-command needed!)

==== Announce Publication ====

(for main/restricted publications)

 0. Assign a USN (format is NNN-S, and the following instructions assume $USN has been set as desired):
  0. For a new issue, run: `USN=$(ssh rookery.canonical.com "~ubuntu-security/bin/get-next-usn")`
  0. For an old issue that needs correction or continuation, start with the issue's original USN, keep NNN and increase S. (e.g. original issue was 42-1, updated USN will be 42-'''2''').
  0. For a new issue that affects different software with identical CVEs, get a new USN normally for the first source package, and then keep NNN and increase S for each additional source package. (e.g. CVE-2008-1693 affected both poppler and koffice, so 603-1 was used for poppler and 603-2 was used for koffice). Please note that different versions of the same software (e.g. emacs21 and emacs22) should not do this, but instead use a single USN with S=1.
 0. To create the USN template script, run: `$UCT/scripts/sis-changes --download /tmp/pending $SRCPKG && cd /tmp/pending && $UCT/scripts/sis-generate-usn $USN *.changes > ~/new-usn.sh`
 0. Edit `~/new-usn.sh` to include a correct title, summary, action, description, and then limit the binary list to only those affected by the USN. Leave all URLs as-is. Have the description proofread by somebody else.
 0. To populate the USN database with the new USN details and generate the template email (sent to `security@ubuntu.com`), run: `bash ~/new-usn.sh`
 0. Wait until the packages are actually mirrored to the archive; the publisher runs hourly at :03, and updates should usually appear on `security.ubuntu.com` within 20-40 minutes (depending on the size). To verify that the packages have arrived, run: `ssh rookery.canonical.com "~ubuntu-security/bin/check-upload $USN"`
 0. Once packages are in the archive, GPG sign and send the USN email to `ubuntu-security-announce@lists.ubuntu.com`; CC `bugtraq@securityfocus.com` and `full-disclosure@lists.grok.org.uk` with a Reply-to: header set as Ubuntu Security <security@ubuntu.com>.
 0. Approve the USN mail on [[https://lists.ubuntu.com/mailman/admindb/ubuntu-security-announce]]. Ensure to reject duplicate mails from you (some list subscribers bounce mails back unmodified). Verify it went through in [[https://lists.ubuntu.com/archives/ubuntu-security-announce/]].
 0. Create a new USN page for this USN via https://www-admin.ubuntu.com/. Copy&paste the USN email text, but without the file list, wrapped in a "div class=usn" tag, include the cve file path, and a list of all the CVEs.
 0. Copy the updated USN database by running: `ssh rookery.canonical.com "~ubuntu-security/bin/push-usn-db"`
 0. For large updates (OOo, firefox, kernel, kdebase), ping an [[https://edge.launchpad.net/~ubuntu-archive/+members|archive admin]] about doing a [[ArchiveAdministration#Copying security uploads to updates|pocket-copy from -security to -updates]] to help reduce the load on security.archive.com. (ssh forced-command needed!)
 0. Check for any outstanding LP bugs tied to the CVEs that are resolved with the USN. [[https://bugs.launchpad.net/bugs/cve/YYYY-NNNN]]
 0. Delete SRCPKG from Security PPA.

==== Editing a Published USN ====
 0. Edit the page for this USN via https://www-admin.ubuntu.com/.
 0. Update the USN database with `ssh -t rookery.canonical.com ~ubuntu-security/bin/edit-usn NNN-S`, where NNN-S corresponds to the edited USN, eg 582-2.
 0. Copy the updated USN database by running: `ssh rookery.canonical.com "~ubuntu-security/bin/push-usn-db"`

=== DAK ===
DAK has been superceded by Soyuz. The old process can be seen in [[SecurityUpdateProceduresDAK]].


== Regressions ==
In the case of regressions caused by security updates, please follow the [[StableReleaseUpdates#regressions|SRU regression policy]].


----
CategoryProcess

Issues that warrant a security update

We only fix bugs in our stable releases which truly affect overall system security, i. e. which enable an attacker to circumvent the permissions configured on the system, or are a threat to the user's data in any way. Most common examples:

  • Buffer overflow in a server process which allows to crash it (denial of service) and/or to execute attacker provided code (privilege escalation).
  • Insecure temporary file handling which allows race condition and symlink attacks to delete unrelated files with the invoker's privileges.
  • Non-working security-relevant configuration options (e. g. iptables would allow packets which should be blocked, or a server's ACL option does not do the right thing).
  • Less critical bugs (like Denial of Service vulnerabilities in instant messengers or email applications) are also fixed usually, but with lower priority.

Responsibility

The Ubuntu security team (security@ubuntu.com, Launchpad team ubuntu-security) is responsible for all issues that affect source packages in Ubuntu main and restricted. Usually timely updates are provided.

The Ubuntu security team also tracks issues in universe and multiverse. It aims to solve vulnerabilities in the current development release by requesting syncs from Debian. Due to lack of manpower, flaws in stable releases and Ubuntu-modified packages are not fixed by ubuntu-security, but the team will provide assistance in releasing updates which are prepared by other developers.

Preparing an update

  1. Collect as much information about the vulnerability as possible. Use the CVE database, the BugTraq and full-disclosure mailing list (archive), the Debian BTS, upstream bug tracking system, upstream revision control systems, and any other source to collect CAN/CVE numbers, causes, impacts, patches, and possible workarounds.

  2. Prepare an updated package based on the appropriate released source package or the last security update.

    • Make only the minimum changes necessary to fix the bug. This is crucial both for the review process and to avoid introducing bugs or unexpected behavioural changes.

      • In the rare cases when a security update must include a major version update, it should, if possible, go to -proposed first for testing. Any upload by a security team member to -proposed for a security vulnerability will get accepted immediately without ack from ubuntu-sru (similar to how regular security fixes being installed into -updates happen without ack). IMPORTANT: An update that first goes through -proposed should not simply be pocket copied to -updates or -security. It should instead be version bumped with a no change rebuild in the -security queue (this is to avoid dependencies that are only in -updates not being satisfiable when only -security is enabled). There are cases where it may be acceptable to do a pocket copy, but it must be shown that people without -updates installed won't be adversely effected.

    • Prefer packaging the changes as proper patches. When the patch system supports it, please follow PatchTaggingGuidelines and include as much information as possible. If the package does not support patch tagging, please include this information in the changelog (see below for changelog formatting).

    • Update the Maintainer field only if working on Feisty or newer.

  3. Properly test that the package builds and still works. You can refer to QA Regression Testing for scripts and techniques on testing packages.

    • If possible, use publicly available exploits and test cases to verify that the bug is fixed
    • In all cases, verify that the package still functions properly
  4. Determine the version number to be used for the package. This requires some care, because it must be newer than the version being patched, but earlier than any version in the development branch. In general, you should add "0.1" to the Ubuntu revision, similar to Debian's source NMU version numbers. In the case where two Ubuntu releases have the same version number for the package, append the appropriate Ubuntu release version followed by a '.1'. In the case where there is an unofficial version in -proposed, base your changes on the non-proposed version like usual, but use a version number higher than the one in -proposed (after USN publication, a note should be added to the -proposed bug saying they need to use the new security upload). Version examples: 
    • ============================  ===================
''Previous version''          ''Security update''
2.0-2                         2.0-2ubuntu0.1
2.0-2ubuntu2                  2.0-2ubuntu2.1
2.0-2ubuntu2.1                2.0-2ubuntu2.2
2.0-2build1                   2.0-2ubuntu0.1
2.0                           2.0-0ubuntu0.1
2.0-2 in two releases         2.0-2ubuntu0.5.04.1 and 2.0-2ubuntu0.5.10.1
2.0-2ubuntu1 in two releases  2.0-2ubuntu1.5.04.1 and 2.0-2ubuntu1.5.10.1
============================  ===================

  5. Create an appropriate changelog entry with a verbose description of the changes and CVE/CAN and other bug number references. Set the distribution [release]-security, e.g. dapper-security or edgy-security, and use a version number that indicates a security update. (Note that "urgency" is not used in Ubuntu, so it should just remain "low".) If there is a corresponding LaunchPad bug open for the issue, include a (LP: #...) section to auto-close the bug.

    • Template: 

      [package] ([version]) [release]-security; urgency=low

 * SECURITY UPDATE: [how the bad guys could get you] (LP: #num).
   - changed/or/added/file1: [how it was fixed], [thanks to original author]
   - changed/or/added/file2: [how it was fixed], [thanks to original author]
   - http://path/to/patch/source/when/this/url/is/not/in/the/new/debian/patch
   - CVE-YYYY-NNNN
 * ...

      Examples: 

      ruby1.8 (1.8.4-1ubuntu1.6) dapper-security; urgency=low

  * SECURITY UPDATE: denial of service via resource exhaustion in the REXML
    module (LP: #261459)
    - debian/patches/917_CVE-2008-3790.patch: adjust rexml/document.rb and
      rexml/entity.rb to use expansion limits. Based on upstream patch.
    - CVE-2008-3790
  * SECURITY UPDATE: integer overflow in rb_ary_fill may cause denial of
    service (LP: #246818)
    - debian/patches/918_CVE-2008-2376.patch: adjust array.c to properly
      check argument length. Based on upstream patch.
    - CVE-2008-2376
      mplayer (2:1.0~rc1-0ubuntu13.3) gutsy-security; urgency=low

  * SECURITY UPDATE: Multiple integer underflows in MPlayer 1.0_rc2 and
    earlier allow remote attackers to cause a denial of service
    (process termination) and possibly execute arbitrary code via a
    crafted video file that causes the stream_read function to read or
    write arbitrary memory. (LP: #279030)
    - libmpdemux/demux_real.c: Address various integer underflows. Patch from
      oCert.org
    - http://svn.mplayerhq.hu/mplayer/trunk/libmpdemux/demux_real.c?r1=27314&r2=27675
    - CVE-2008-3827
  6. Generate a debdiff against the previous package version, read it to verify that you only did minimal changes and that the changes are indeed correct.
  7. Publish the debdiff in Launchpad for inspection, set the status of the bug to 'In Progress' and make sure that 'ubuntu-security' is subscribed to the bug.

  8. Please indicate the testing performed. Testing might include (but is not limited to) build tests, test suites, PoC, ABI changes, and testing the patched code so that it introduces no regressions. For more information on testing, please see QA Regression Testing.

  9. If not present, please add CVE references to the Launchpad bug using the 'Link to CVE' functionality in Launchpad
  10. Updates prepared directly by the security team should be peer-reviewed. Updates prepared by others will be peer-reviewed by a security team member.

  11. For input on patches, send a note to the MOTU mailing list (ubuntu-motu@lists.ubuntu.com) with a reference to the bug where the debdiff is filed. The security team will upload it at the appropriate time.

  12. If Debian does not yet have a fix, send the package interdiff to the Debian BTS by following Debian/Bugs and Debian/Usertagging (if you use submittodebian, it will take care of all that for you), CC'ing security@debian.org, and adding the Debian bug to the Launchpad bug by using the 'Also affects distribution' functionality in Launchpad.

  13. If the package is in "main" or "restricted", try to write an appropriate "Details" section for an Ubuntu SecurityNotification.

Releasing an update

(For members of the Ubuntu security team)

Soyuz

Local Configuration

  1. Make sure ~/.ubuntu-cve-tracker.conf is fully configured (see the u-c-t README), and set the path to the ubuntu-cve-tracker bzr tree check-out: UCT=/path/to/ubuntu-cve-tracker

  2. Set up ~/.dput.cf with the appropriate Security PPA upload entries: 

    • [security-dapper]
fqdn = ppa.launchpad.net
incoming = ~ubuntu-security/ubuntu/dapper
login = anonymous

[security-gutsy]
fqdn = ppa.launchpad.net
incoming = ~ubuntu-security/ubuntu/gutsy
login = anonymous

[security-hardy]
fqdn = ppa.launchpad.net
incoming = ~ubuntu-security/ubuntu/hardy
login = anonymous

[security-intrepid]
fqdn = ppa.launchpad.net
incoming = ~ubuntu-security/ubuntu/intrepid
login = anonymous

Upload/Build/Publish

  1. Set the name of the source package being updated: export SRCPKG="srcpkg1 srcpkg2..."

  2. Upload the updated source packages via dput to each release's Security PPA target. Notification about failed builds should be automatically sent to security@ubuntu.com.

  3. Wait for the finished builds on all supported architectures to finish and appear at the Ubuntu Security PPA: $UCT/scripts/sis-changes --action check-build $SRCPKG

  4. Request unembargoing from a LOSA in #is or cprov (ssh forced-command needed!)

Announce Publication

(for main/restricted publications)

  1. Assign a USN (format is NNN-S, and the following instructions assume $USN has been set as desired):

    1. For a new issue, run: USN=$(ssh rookery.canonical.com "~ubuntu-security/bin/get-next-usn")

    2. For an old issue that needs correction or continuation, start with the issue's original USN, keep NNN and increase S. (e.g. original issue was 42-1, updated USN will be 42-2).

    3. For a new issue that affects different software with identical CVEs, get a new USN normally for the first source package, and then keep NNN and increase S for each additional source package. (e.g. CVE-2008-1693 affected both poppler and koffice, so 603-1 was used for poppler and 603-2 was used for koffice). Please note that different versions of the same software (e.g. emacs21 and emacs22) should not do this, but instead use a single USN with S=1.

  2. To create the USN template script, run: $UCT/scripts/sis-changes --download /tmp/pending $SRCPKG && cd /tmp/pending && $UCT/scripts/sis-generate-usn $USN *.changes > ~/new-usn.sh

  3. Edit ~/new-usn.sh to include a correct title, summary, action, description, and then limit the binary list to only those affected by the USN. Leave all URLs as-is. Have the description proofread by somebody else.

  4. To populate the USN database with the new USN details and generate the template email (sent to security@ubuntu.com), run: bash ~/new-usn.sh

  5. Wait until the packages are actually mirrored to the archive; the publisher runs hourly at :03, and updates should usually appear on security.ubuntu.com within 20-40 minutes (depending on the size). To verify that the packages have arrived, run: ssh rookery.canonical.com "~ubuntu-security/bin/check-upload $USN"

  6. Once packages are in the archive, GPG sign and send the USN email to ubuntu-security-announce@lists.ubuntu.com; CC bugtraq@securityfocus.com and full-disclosure@lists.grok.org.uk with a Reply-to: header set as Ubuntu Security <security@ubuntu.com>.

  7. Approve the USN mail on https://lists.ubuntu.com/mailman/admindb/ubuntu-security-announce. Ensure to reject duplicate mails from you (some list subscribers bounce mails back unmodified). Verify it went through in https://lists.ubuntu.com/archives/ubuntu-security-announce/.

  8. Create a new USN page for this USN via https://www-admin.ubuntu.com/. Copy&paste the USN email text, but without the file list, wrapped in a "div class=usn" tag, include the cve file path, and a list of all the CVEs.

  9. Copy the updated USN database by running: ssh rookery.canonical.com "~ubuntu-security/bin/push-usn-db"

  10. For large updates (OOo, firefox, kernel, kdebase), ping an archive admin about doing a pocket-copy from -security to -updates to help reduce the load on security.archive.com. (ssh forced-command needed!)

  11. Check for any outstanding LP bugs tied to the CVEs that are resolved with the USN. https://bugs.launchpad.net/bugs/cve/YYYY-NNNN

  12. Delete SRCPKG from Security PPA.

Editing a Published USN

  1. Edit the page for this USN via https://www-admin.ubuntu.com/.

  2. Update the USN database with ssh -t rookery.canonical.com ~ubuntu-security/bin/edit-usn NNN-S, where NNN-S corresponds to the edited USN, eg 582-2.

  3. Copy the updated USN database by running: ssh rookery.canonical.com "~ubuntu-security/bin/push-usn-db"

DAK

DAK has been superceded by Soyuz. The old process can be seen in SecurityUpdateProceduresDAK.

Regressions

In the case of regressions caused by security updates, please follow the SRU regression policy.

CategoryProcess

SecurityTeam/UpdateProcedures (last edited 2019-09-16 14:57:57 by seth-arnold)