UpdateProcedures

Revision 102 as of 2009-04-23 20:22:59

Clear message

Issues that warrant a security update

We only fix bugs in our stable releases which truly affect overall system security, i. e. which enable an attacker to circumvent the permissions configured on the system, or are a threat to the user's data in any way. Most common examples:

  • Buffer overflow in a server process which allows to crash it (denial of service) and/or to execute attacker provided code (privilege escalation).
  • Insecure temporary file handling which allows race condition and symlink attacks to delete unrelated files with the invoker's privileges.
  • Non-working security-relevant configuration options (e. g. iptables would allow packets which should be blocked, or a server's ACL option does not do the right thing).
  • Less critical bugs (like Denial of Service vulnerabilities in instant messengers or email applications) are also fixed usually, but with lower priority.

Responsibility

The Ubuntu Security team (security@ubuntu.com, Launchpad team ubuntu-security) is responsible for all issues that affect source packages in Ubuntu main and restricted.

The Ubuntu Security team also tracks issues in universe and multiverse and aims to solve vulnerabilities for these packages in the current development release by requesting syncs from Debian. Flaws in packages from universe and multiverse for stable releases should be prepared by community members.

Preparing an update

Preparing an update requires a lot of effort and attention to detail. Ubuntu has millions of users and expect a very high level of stability in their system. To achieve a high level of quality, the process has be broken down into the following stages:

The MOTU and MOTU Swat developers are available to answer questions and provide assistance in preparing updates. The Ubuntu Security team will process updates from community and provide assistance as needed.

Remember: People can help with any stage of the process, so don't be shy-- get involved!

Releasing an update

Only members of the Ubuntu Security team can publish security updates into the security pocket for a given Ubuntu release. Updates are usually uploaded to and published from the private Ubuntu Security team PPA, though other teams may have their own PPAs that updates may be pulled from.

The Ubuntu Security team publishes updates from the following:

Regressions

In the case of regressions caused by security updates, please follow the SRU regression policy.

CategoryProcess