[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] Security support for debug=y builds (Was Re: Xen Security Advisory 37 (CVE-2013-0154) - Hypervisor crash due to incorrect ASSERT (debug build only))

On Fri, 2013-01-04 at 16:01 +0000, Xen.org security team wrote:
>      Hypervisor crash due to incorrect ASSERT (debug build only) 

While dealing with this issue the security team was faced with the
question as to whether bugs which are exposed only in debug=y builds
should be considered security relevant (i.e. would normally require an
embargo period, a full advisory, etc).

The Security Response Policy[0] does not offer any guidance on this
issue. We concluded that we should treat this issue as a normal Security
issue and then seek guidance from the community as to what we should do
in the future.

So what are your expectations for security sensitive bugs which only
affect debug builds? Note that debugging is disabled by default and that
we would recommended running non-debug builds in production.

Options which I can think of are:

      * debug=y bugs are Just Bugs and not security issues. i.e. they
        are discussed and fixed publicly on xen-devel and the fix is
        checked in in the usual way. There is no embargo or specific
        announcement. changelog may or may not refer to the security
        implications if debug=y is enabled.
      * debug=y bugs are security issues regardless, they are treated
        like any other security issue, i.e. following the process[0].
      * debug=y bugs are somewhere in the middle. (perhaps no embargo,
        less formal announcement etc etc)
      * ...

Any input appreciated. I will draft a process update as necessary based
on the response.


[0] http://www.xen.org/projects/security_vulnerability_process.html

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.