[prev in list] [next in list] [prev in thread] [next in thread]
List: xen-announce
Subject: [Xen-announce] Updates to Xen Project Security Process
From: Lars Kurth <lars.kurth.xen () gmail ! com>
Date: 2015-03-02 14:59:51
Message-ID: 742C9217-872C-40E5-853F-CBFFD9BB59B4 () gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Dear Community Members,
before Christmas, the Xen Project ran a community consultation \
<https://blog.xenproject.org/2014/10/22/xen-project-security-policy-improvements-get-involved/> \
to refine its Security Problem Response Process \
<http://www.xenproject.org/security-policy.html>. We recently approved changes that, \
in essence, are tweaks to our existing process, which is based on the Responsible \
Disclosure <http://en.wikipedia.org/wiki/Responsible_disclosure> philosophy.
Responsible Disclosure and our Security Problem Response Process are important \
components of keeping users of Xen Project based products and services safe from \
security exploits. Both ensure that products and services can be patched by members \
of the pre-disclosure list before details of a vulnerability are published andbefore \
said vulnerabilities can be exploited by black hats.
The changes to our response process fall into a number of categories:
Clarify whether security updates can be deployed on publicly hosted systems (e.g. \
cloud or hosting providers) during embargo Sharing of information among \
pre-disclosure list members Applications procedure for pre-disclosure list membership
The complete discussion leading to the changes, the concrete changes to the process, \
and the voting records supporting the changes are tracked in Bug #44 -Security policy \
ambiguities <http://bugs.xenproject.org/xen/bug/44>. On February 11, 2015, the \
proposed changes were approved in accordance with Xen Project governance. Note that \
some process changes are already implemented, whereas others are waiting for new \
tooling before they can fully be put in place. We have however updated our Security \
Problem Response Process <http://www.xenproject.org/security-policy.html> as most \
tooling is present today.
Process Changes Already in Operation
The updated policy makes explicit whether or not patches related to a Xen Security \
Issue can be deployed by pre-disclosure list members. The concrete policy changes can \
be found here <http://lists.xen.org/archives/html/xen-devel/2015-01/msg03016.html> \
and here <http://lists.xen.org/archives/html/xen-devel/2015-01/msg03017.html>. In \
practice, every Xen Security Advisory will contain a section such as:
DEPLOYMENT DURING EMBARGO
=========================
Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.
Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.
This section will clarify whether deploying fixed versions of Xen during the embargo \
is allowed. Any restrictions will also be stated in the embargoed advisory. The \
Security Team will impose deployment restrictions only to prevent the exposure of \
security vulnerability technicalities, which present a significant risk of \
vulnerability rediscovery (for example, by visible differences in behaviour). Such \
situations have been, and are expected, to be rare.
Changes to Application Procedure for Pre-disclosure List Membership
We also made additional changes related to streamlining and simplifying the process \
of applying for pre-disclosure list membership. Detailed policy changes can be found \
here <http://lists.xen.org/archives/html/xen-devel/2015-01/msg03022.html> and here \
<http://lists.xen.org/archives/html/xen-devel/2015-01/msg03019.html>. Moving forward, \
future applications to become members of the Xen Project pre-disclosure list have to \
be made publicly on the predisclosure-applications \
<http://www.xenproject.org/help/mailing-list.html#predisclosure-applications> mailing \
list. This enables Xen Project community members to provide additional information \
and also is in line with one of our community's core principles: transparency. In \
addition, we've clarified our eligibility criteria to make it easier for the Xen \
Project Security Team, as well as observers of the mailing list, to verify whether \
applicants are eligible to become members of the list.
Process Changes That Require Some Tooling
Sharing of Information Among Pre-disclosure List Members
Finally, members of the pre-disclosure list will be explicitly allowed to share fixes \
to embargoed issues, analysis, and other relevant information with the security teams \
of other pre-disclosure members. Information sharing will happen on a private and \
secure mailing list hosted by the Xen Project. More details here \
<http://lists.xen.org/archives/html/xen-devel/2015-01/msg03015.html>.
Best Regards
Lars
[Attachment #5 (unknown)]
<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; \
-webkit-line-break: after-white-space;" class=""><p style="margin: 0px 0px \
1.714285714rem; padding: 0px; border: 0px; font-size: 14px; vertical-align: baseline; \
line-height: 24px; color: rgb(68, 68, 68); font-family: 'Open Sans', Helvetica, \
Arial, sans-serif; background-color: rgb(255, 255, 255);" class="">Dear Community \
Members,</p><p style="margin: 0px 0px 1.714285714rem; padding: 0px; border: 0px; \
font-size: 14px; vertical-align: baseline; line-height: 24px; color: rgb(68, 68, 68); \
font-family: 'Open Sans', Helvetica, Arial, sans-serif; background-color: rgb(255, \
255, 255);" class="">before Christmas, the Xen Project ran <a \
href="https://blog.xenproject.org/2014/10/22/xen-project-security-policy-improvements-get-involved/" \
style="margin: 0px; padding: 0px; border: 0px; vertical-align: baseline; outline: \
none; color: rgb(159, 159, 159);" class="">a community consultation</a> to \
refine its <a href="http://www.xenproject.org/security-policy.html" \
style="margin: 0px; padding: 0px; border: 0px; vertical-align: baseline; outline: \
none; color: rgb(159, 159, 159);" class="">Security Problem Response Process</a>. \
We recently approved changes that, in essence, are tweaks to our existing \
process, which is based on the <a \
href="http://en.wikipedia.org/wiki/Responsible_disclosure" style="margin: 0px; \
padding: 0px; border: 0px; vertical-align: baseline; outline: none; color: rgb(159, \
159, 159);" class="">Responsible Disclosure</a> philosophy.</p><p style="margin: \
0px 0px 1.714285714rem; padding: 0px; border: 0px; font-size: 14px; vertical-align: \
baseline; line-height: 24px; color: rgb(68, 68, 68); font-family: 'Open Sans', \
Helvetica, Arial, sans-serif; background-color: rgb(255, 255, 255);" class=""><strong \
style="margin: 0px; padding: 0px; border: 0px; vertical-align: baseline;" \
class="">Responsible Disclosure</strong> and our <strong style="margin: \
0px; padding: 0px; border: 0px; vertical-align: baseline;" class="">Security Problem \
Response Process</strong> are important components of keeping users of Xen \
Project based products and services safe from security exploits. Both ensure that \
products and services can be patched by members of the pre-disclosure list <em \
style="margin: 0px; padding: 0px; border: 0px; vertical-align: baseline;" \
class="">before</em> details of a vulnerability are published and<em \
style="margin: 0px; padding: 0px; border: 0px; vertical-align: baseline;" \
class="">before</em> said vulnerabilities can be exploited by black \
hats. </p><p style="margin: 0px 0px 1.714285714rem; padding: 0px; border: 0px; \
font-size: 14px; vertical-align: baseline; line-height: 24px; color: rgb(68, 68, 68); \
font-family: 'Open Sans', Helvetica, Arial, sans-serif; background-color: rgb(255, \
255, 255);" class="">The changes to our response process fall into a number of \
categories:</p><ul style="margin: 0px 0px 1.714285714rem; padding: 0px; border: 0px; \
font-size: 14px; vertical-align: baseline; list-style-position: outside; \
list-style-image: initial; line-height: 24px; color: rgb(68, 68, 68); font-family: \
'Open Sans', Helvetica, Arial, sans-serif; background-color: rgb(255, 255, 255);" \
class=""><li style="margin: 0px 0px 0px 2.571428571rem; padding: 0px; border: 0px; \
vertical-align: baseline;" class="">Clarify whether security updates can be deployed \
on publicly hosted systems (e.g. cloud or hosting providers) during embargo</li><li \
style="margin: 0px 0px 0px 2.571428571rem; padding: 0px; border: 0px; vertical-align: \
baseline;" class="">Sharing of information among pre-disclosure list members</li><li \
style="margin: 0px 0px 0px 2.571428571rem; padding: 0px; border: 0px; vertical-align: \
baseline;" class="">Applications procedure for pre-disclosure list \
membership</li></ul><p style="margin: 0px 0px 1.714285714rem; padding: 0px; border: \
0px; font-size: 14px; vertical-align: baseline; line-height: 24px; color: rgb(68, 68, \
68); font-family: 'Open Sans', Helvetica, Arial, sans-serif; background-color: \
rgb(255, 255, 255);" class="">The complete discussion leading to the changes, the \
concrete changes to the process, and the voting records supporting the changes are \
tracked in <a href="http://bugs.xenproject.org/xen/bug/44" style="margin: 0px; \
padding: 0px; border: 0px; vertical-align: baseline; outline: none; color: rgb(159, \
159, 159);" class="">Bug #44 -Security policy ambiguities</a>. On <strong \
style="margin: 0px; padding: 0px; border: 0px; vertical-align: baseline;" \
class="">February 11, 2015, the proposed changes were approved</strong> in \
accordance with Xen Project governance. Note that some process changes are \
already implemented, whereas others are waiting for new tooling before they can fully \
be put in place. We have however updated our <a \
href="http://www.xenproject.org/security-policy.html" style="margin: 0px; padding: \
0px; border: 0px; vertical-align: baseline; outline: none; color: rgb(159, 159, \
159);" class="">Security Problem Response Process</a> as most tooling is present \
today.</p><h2 style="margin: 1.714285714rem 0px; padding: 0px; border: 0px; \
font-size: 1.285714286rem; vertical-align: baseline; clear: both; line-height: 1.6; \
color: rgb(68, 68, 68); font-family: 'Open Sans', Helvetica, Arial, sans-serif; \
background-color: rgb(255, 255, 255);" class="">Process Changes Already in \
Operation</h2><p style="margin: 0px 0px 1.714285714rem; padding: 0px; border: 0px; \
font-size: 14px; vertical-align: baseline; line-height: 24px; color: rgb(68, 68, 68); \
font-family: 'Open Sans', Helvetica, Arial, sans-serif; background-color: rgb(255, \
255, 255);" class="">The updated policy makes explicit whether or not patches related \
to a Xen Security Issue can be deployed by pre-disclosure list members. The concrete \
policy changes can be found <a \
href="http://lists.xen.org/archives/html/xen-devel/2015-01/msg03016.html" \
style="margin: 0px; padding: 0px; border: 0px; vertical-align: baseline; outline: \
none; color: rgb(159, 159, 159);" class="">here</a> and <a \
href="http://lists.xen.org/archives/html/xen-devel/2015-01/msg03017.html" \
style="margin: 0px; padding: 0px; border: 0px; vertical-align: baseline; outline: \
none; color: rgb(159, 159, 159);" class="">here</a>. In practice, every Xen Security \
Advisory will contain a section such as:</p><pre style="margin-top: 1.714285714rem; \
margin-bottom: 1.714285714rem; padding: 1.714285714rem; border: 1px solid rgb(237, \
237, 237); font-size: 0.857142857rem; vertical-align: baseline; color: rgb(102, 102, \
102); font-family: Consolas, Monaco, 'Lucida Console', monospace; line-height: \
1.714285714; overflow: auto; background-color: rgb(255, 255, 255);" \
class="">DEPLOYMENT DURING EMBARGO =========================
Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.
Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.</pre><p style="margin: 0px 0px 1.714285714rem; padding: 0px; border: 0px; \
font-size: 14px; vertical-align: baseline; line-height: 24px; color: rgb(68, 68, 68); \
font-family: 'Open Sans', Helvetica, Arial, sans-serif; background-color: rgb(255, \
255, 255);" class="">This section will clarify whether deploying fixed versions of \
Xen during the embargo is allowed. Any restrictions will also be stated in the \
embargoed advisory. The Security Team will impose deployment restrictions only to \
prevent the exposure of security vulnerability technicalities, which present a \
significant risk of vulnerability rediscovery (for example, by visible differences in \
behaviour). Such situations have been, and are expected, to be rare.</p><h3 \
style="margin: 1.714285714rem 0px; padding: 0px; border: 0px; font-size: \
1.142857143rem; vertical-align: baseline; clear: both; line-height: 1.846153846; \
color: rgb(68, 68, 68); font-family: 'Open Sans', Helvetica, Arial, sans-serif; \
background-color: rgb(255, 255, 255);" class="">Changes to Application Procedure for \
Pre-disclosure List Membership</h3><p style="margin: 0px 0px 1.714285714rem; padding: \
0px; border: 0px; font-size: 14px; vertical-align: baseline; line-height: 24px; \
color: rgb(68, 68, 68); font-family: 'Open Sans', Helvetica, Arial, sans-serif; \
background-color: rgb(255, 255, 255);" class="">We also made additional changes \
related to streamlining and simplifying the process of applying for pre-disclosure \
list membership. Detailed policy changes can be found <a \
href="http://lists.xen.org/archives/html/xen-devel/2015-01/msg03022.html" \
style="margin: 0px; padding: 0px; border: 0px; vertical-align: baseline; outline: \
none; color: rgb(159, 159, 159);" class="">here</a> and <a \
href="http://lists.xen.org/archives/html/xen-devel/2015-01/msg03019.html" \
style="margin: 0px; padding: 0px; border: 0px; vertical-align: baseline; outline: \
none; color: rgb(159, 159, 159);" class="">here</a>. Moving forward, future \
applications to become members of the Xen Project pre-disclosure list have to be made \
publicly on the <a \
href="http://www.xenproject.org/help/mailing-list.html#predisclosure-applications" \
style="margin: 0px; padding: 0px; border: 0px; vertical-align: baseline; outline: \
none; color: rgb(159, 159, 159);" \
class="">predisclosure-applications</a> mailing list. This enables Xen Project \
community members to provide additional information and also is in line with one of \
our community's core principles: <b style="margin: 0px; padding: 0px; border: \
0px; vertical-align: baseline;" class="">transparency</b>. In addition, we've \
clarified our eligibility criteria to make it easier for the Xen Project \
Security Team, as well as observers of the mailing list, to verify whether applicants \
are eligible to become members of the list.</p><h2 style="margin: 1.714285714rem 0px; \
padding: 0px; border: 0px; font-size: 1.285714286rem; vertical-align: baseline; \
clear: both; line-height: 1.6; color: rgb(68, 68, 68); font-family: 'Open Sans', \
Helvetica, Arial, sans-serif; background-color: rgb(255, 255, 255);" class="">Process \
Changes That Require Some Tooling</h2><h3 style="margin: 1.714285714rem 0px; padding: \
0px; border: 0px; font-size: 1.142857143rem; vertical-align: baseline; clear: both; \
line-height: 1.846153846; color: rgb(68, 68, 68); font-family: 'Open Sans', \
Helvetica, Arial, sans-serif; background-color: rgb(255, 255, 255);" class="">Sharing \
of Information Among Pre-disclosure List Members</h3><p style="margin: 0px 0px \
1.714285714rem; padding: 0px; border: 0px; font-size: 14px; vertical-align: baseline; \
line-height: 24px; color: rgb(68, 68, 68); font-family: 'Open Sans', Helvetica, \
Arial, sans-serif; background-color: rgb(255, 255, 255);" class="">Finally, members \
of the pre-disclosure list will be explicitly allowed to share fixes to embargoed \
issues, analysis, and other relevant information with the security teams of other \
pre-disclosure members. Information sharing will happen on a private and secure \
mailing list hosted by the Xen Project. More details <a \
href="http://lists.xen.org/archives/html/xen-devel/2015-01/msg03015.html" \
style="margin: 0px; padding: 0px; border: 0px; vertical-align: baseline; outline: \
none; color: rgb(159, 159, 159);" class="">here</a>. </p><p style="margin: 0px \
0px 1.714285714rem; padding: 0px; border: 0px; font-size: 14px; vertical-align: \
baseline; line-height: 24px; color: rgb(68, 68, 68); font-family: 'Open Sans', \
Helvetica, Arial, sans-serif; background-color: rgb(255, 255, 255);" class="">Best \
Regards</p><p style="margin: 0px 0px 1.714285714rem; padding: 0px; border: 0px; \
font-size: 14px; vertical-align: baseline; line-height: 24px; color: rgb(68, 68, 68); \
font-family: 'Open Sans', Helvetica, Arial, sans-serif; background-color: rgb(255, \
255, 255);" class="">Lars</p><div class=""><br class=""></div></body></html>
_______________________________________________
Xen-announce mailing list
Xen-announce@lists.xen.org
http://lists.xen.org/xen-announce
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic