mailing-lists:distros
source link: https://oss-security.openwall.org/wiki/mailing-lists/distros
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
List policy and instructions for reporters
PLEASE NOTE THAT BY POSTING TO THESE LISTS YOU ACCEPT CERTAIN RESPONSIBILITIES. PLEASE READ THIS SECTION CAREFULLY BEFORE YOU POST.
Please only use these lists to report and discuss security issues that are not yet public (but that are to be made public very soon - please see below). For security issues that are already public or that are to be made public right away, please post to oss-security instead (and it's literally “instead”, not “as well”, since all of the distros in here are supposed to monitor oss-security closely as well). In either case, we're only interested in issues affecting Open Source software.
Please note that in case a fix for an issue is already in a publicly accessible source code repository, we generally consider the issue public (and thus you should post to oss-security right away, not report the issue to (linux-)distros as we'd merely redirect you to oss-security anyway and insist that you make the required posting ASAP). There can be occasional exceptions to this, such as if the publicly accessible fix doesn't look like it's for a security issue and not revealing this publicly right away is somehow deemed desirable. In particular, we grant such exceptions for (1) Linux kernel issues concurrently or very recently handled by the Linux kernel security team and (2) curl issues ranked as low or medium severity by the curl project. In all other cases, you'd have to have very sound reasoning to claim an exception like this and be prepared to lose your argument and if so to post to oss-security ASAP anyway.
It is intended that these lists be used primarily to provide actionable information to multiple distribution vendors at once. While you may at the same time request and obtain a CVE ID (to be assigned by one of the CNAs present on these lists) for the issue you report, and that's great, please avoid using these lists if your sole purpose of their use is to obtain a CVE ID (e.g., when the affected software isn't something any of the distributions currently ship, or when they are unlikely to benefit from the advance notice). 1)
To report a non-public medium or high severity 2) security issue to one of these lists, send e-mail to distros [at] vs [dot] openwall [dot] org or linux [dash] distros [at] vs [dot] openwall [dot] org (just one of these lists depending on who you want to inform), preferably PGP-encrypted to the key below (yes, same key for both lists). Be sure to include [vs]
(four characters) in the Subject line, or your message will most likely 3) be rejected by the mail server. (This helps us filter out spam, and confirm that you indeed read this policy before successfully sending anything to us.) In your message, please propose a (tentative) public disclosure date/time for the issue. 4) If you do not hear back within 48 hours, please send another message to inquire whether your initial message has in fact been received.
The supported message formats are: plain unencrypted messages (including with attachments), PGP/MIME (including with attachments), or inline PGP. (In all of these cases, messages are distributed to list members (re-)encrypted to their own keys - except that headers, including From and Subject, are not encrypted, so you may want to avoid including security sensitive information in the Subject.) However, manual PGP-encrypted attachments are not supported (so if you want to attach file(s) to your encrypted message, use PGP/MIME). The attachment filenames should be alphanumeric, except that dot, minus sign, and underscore characters are allowed within the filenames (not as the first character of a filename).
Please note that the maximum acceptable embargo period for issues disclosed to these lists is 14 days. Please do not ask for a longer embargo. In fact, embargo periods shorter than 7 days are preferable. Please notify upstream projects/developers of the affected software, other affected distro vendors, and/or affected Open Source projects before notifying one of these mailing lists in order to ensure that these other parties are OK with the maximum embargo period that would apply (and if not, then you may have to delay your notification to the mailing list), unless you're confident you'd choose to ignore their preference anyway and disclose the issue publicly soon as per the policy stated here.
When the security issue is finally (to be made) public, it is your (the original reporter's) responsibility to post about it to oss-security (indeed, you and others may also post to any other mailing lists, etc.) In your mandatory oss-security posting, you must include sufficient detail for non-members of these private lists to also fix the issue.
If you shared exploit(s) that are not an essential part of the issue description, then at your option you may slightly delay posting them to oss-security but you must post the exploits to oss-security within at most 7 days of making the mandatory posting above. If you exercise this option, you have two mandatory postings to make: first with a sufficiently detailed issue description (as requested above) and with an announcement of your intent to post the exploits separately (please mention exactly when), and second with the exploits - or indeed you could have included the exploits right away, in your first and only mandatory posting.
If you'd like to post a follow-up to or otherwise continue discussing an issue that has already been made public, please post those messages only to oss-security instead. The (linux-)distros lists are for embargoed discussions only, and we mean it. If you do have a good reason to keep your follow-up(s) under a new embargo, it's OK to send them to (linux-)distros, but please be aware that this starts the whole process all over again - you need to propose a public disclosure date right away, etc., and then bring those follow-up(s) to oss-security once the new embargo is over.
Please note that any/all list postings may be made public once the corresponding security issue is publicly disclosed, so please do not post information that you want to stay private forever. 5)
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.10 (GNU/Linux) mQENBE2YijgBCADJ7gsXv583bcxm7D4gGCjqUuNv+qLj6fgB+/QNFOM0z3OB2YNj 3oaBRSR5DKhDRvHmNRbXTvNO7OjzPojMmkDlq2UgcmGHIrYraw9q/e1Hpom4dF+O 1dIMwyOZ1WARtlR5znd3hwkGrGiFnkLqDJDLKXUn/rSbRTFhay1zv1dAknR4/+zJ 74YBhZo95zVYA7piF0VmDvXDK+9R3bQM0SgoThyfdiQQMpoFd48y0jFtcbrQlVgU 7M5l/6JKTqANqxG3Qeilavqg9jG1AQyrGJCoCI6ItgDk1AyHB8hLHN6QVQl9XPpC Uo5oXYpzPcMpdKzhnMD6/AzF+z6UEHmcmArtABEBAAG0PkxpbnV4IGRpc3RybyBz ZWN1cml0eSBjb250YWN0cyA8bGludXgtZGlzdHJvc0B2cy5vcGVud2FsbC5vcmc+ iQE4BBMBAgAiBQJNmIo4AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRDW zkyuR+r385KNB/0RyvjAjy6Zz2+UDq4JzR8aAt0DAScycD/1jWMBzwncBrkoXG0v yJ+m5AFtXcHRKGYgfZ8Aothpe5vi/fnQnuAzz2RyGDw15/7wyXWsA3rbWELCxx13 iLfFrFAXboM7FlGCCdALosEaJBM2gAuCNouxraFWXVOKXUPyJ1Kpry9AIffQJWD3 2Zzn2xsPbd02Fa6nLUWf+g3608RzqUv0TZmaFu4cFjGZkrx+RejUaSchPaf9Mqal PlIQSMBsYgZlKYVcIXGXlSA3iXhFzcLgzlwcL6MMtK+iK7UJBXMCmw1GjrTsUcY0 qeJFZzJ43wf/AoamAHKmOQIqxxIfebJX/98riEYEEBECAAYFAk2YuO4ACgkQovwC fFs0HxW8yQCfTFiGhEsDJyPRAXmBXMWEDxYq4gwAoICEzh0+CHUWazrIcHh4D7wl zYwltENPcGVyYXRpbmcgc3lzdGVtIGRpc3RybyBzZWN1cml0eSBjb250YWN0cyA8 ZGlzdHJvc0B2cy5vcGVud2FsbC5vcmc+iQE4BBMBAgAiBQJO4YbYAhsDBgsJCAcD AgYVCAIJCgsEFgIDAQIeAQIXgAAKCRDWzkyuR+r38xHJB/9paDZv6RWnGFcCv7bO dvvBborWfyEjDW0kHHnevN1BLNaVq9RPRhSIbvVd3JGEkYi+C0HIUZAK0NNs8Yjh CPQKKE2FIVLsO7wTt+FWOpKvQZWuNbPW3vvJ8x82NkmUGjMPP0JDRV+N/SB37JDc ndjz+19SI228lxqlazS8OqbrZOeSeawKafcGVFv3CTbR2lj+1mHo6DyUbZeXf7Cq K5wfZYhxlNtrh8gAS3vCizoIhuRzxdCF6nxobcjCYoXbtJpx30J7bUHAp6Rc5vr1 hdZDS+LxJ704x9cmEof9DgWQ4QbVb54R8xAbRpU3RFZ0veZcPu4P6mpI2ba6bP9f 6mSsuQENBE2YijgBCACkA8GQr4IYbrPU5qDsTLvlL3YU8Bekg1HlhKOC+gr8/PqI 09fQMaWBM9n79/ss4ZaS3IAX/S0HZtfpmfNc36FMTlpJRnbY1tF3NqjeIHJUGaf+ 0jXTInRdOxq0U0jHqW/GLr6rNjxLFhhtFI7Y622vPf03cvZYd/pBjyYlZCHAxeRC 0OqfXLUiNLr2L0LptUO8RsWUhZJtEW65fjn0heka/eh/P+IINQrA5ranVohv6tST ucL8blHr91AfiNw9oI0VYI8jvkVQx+cjgJeTYlOegqzZ3Vq+une21nkLd9nbuauJ Q7lodfhzH6yUrTQjwUpxi/udXNFFIJFuM6IAAGkfABEBAAGJAR8EGAECAAkFAk2Y ijgCGwwACgkQ1s5Mrkfq9/O7fgf/WYnIqcEQivO9SB90O1jplJP55HZoIUwf4Rrp Y9Nbz3nG2qXo1b68kw/O/zggU90K3oJ+yzsyETLAOH5+nrOPBxjrGIYbVsEMt+Vf W+7WahYvh30IJWLMy3Xv3v7uzHzP5T81FnwJyja85Y56rLyaYhk9E3KYcJ1phaYW oFDQuioFUFDi6TV5WK13B5d/InTy/4uQDzOWPE0Ev8RTZex7hDx+SxwASszQnghn ovWWEa96Gh5fpdoyWpBE9Na/9Hz2y8RO+Okctct4xdZZFYcEg4wpnFigCBFIq+jx K4LI8Y1o8SiVLMztF+knDaZxohs+7BWYGzsWvsYOGqTMkBM5IQ== =E3Xb -----END PGP PUBLIC KEY BLOCK-----
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK