[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Security support for debug=y builds (Was Re: Xen Security Advisory 37 (CVE-2013-0154) - Hypervisor crash due to incorrect ASSERT (debug build only))

To: Keir Fraser <keir@xxxxxxx>
From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
Date: Mon, 7 Jan 2013 11:21:15 +0000
Cc: xen-users <xen-users@xxxxxxxxxxxxx>, Ian Campbell <ijc@xxxxxxx>, "xen-devel@xxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxx>
Delivery-date: Mon, 07 Jan 2013 11:21:39 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

On 07/01/13 11:08, Keir Fraser wrote:

On 07/01/2013 10:21, "Ian Campbell"<ijc@xxxxxxx>  wrote:

On Fri, 2013-01-04 at 16:01 +0000, Xen.org security team wrote:

      Hypervisor crash due to incorrect ASSERT (debug build only)

While dealing with this issue the security team was faced with the
question as to whether bugs which are exposed only in debug=y builds
should be considered security relevant (i.e. would normally require an
embargo period, a full advisory, etc).

The Security Response Policy[0] does not offer any guidance on this
issue. We concluded that we should treat this issue as a normal Security
issue and then seek guidance from the community as to what we should do
in the future.

So what are your expectations for security sensitive bugs which only
affect debug builds? Note that debugging is disabled by default and that
we would recommended running non-debug builds in production.

Options which I can think of are:

       * debug=y bugs are Just Bugs and not security issues. i.e. they
         are discussed and fixed publicly on xen-devel and the fix is
         checked in in the usual way. There is no embargo or specific
         announcement. changelog may or may not refer to the security
         implications if debug=y is enabled.

This is my preference. I consider debug builds to be developer builds, and
wouldn't expect to see them used in production environments. We set debug=n
by default in our stable branches for that reason.

  -- Keir

I second this opinion. Production environments should not be runningdevelopment builds.


~Andrew

       * debug=y bugs are security issues regardless, they are treated
         like any other security issue, i.e. following the process[0].
       * debug=y bugs are somewhere in the middle. (perhaps no embargo,
         less formal announcement etc etc)
       * ...

Any input appreciated. I will draft a process update as necessary based
on the response.

Ian.

[0] http://www.xen.org/projects/security_vulnerability_process.html


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] Security support for debug=y builds (Was Re: Xen Security Advisory 37 (CVE-2013-0154) - Hypervisor crash due to incorrect ASSERT (debug build only))
  - From: Ian Campbell

References:
- Re: [Xen-devel] Security support for debug=y builds (Was Re: Xen Security Advisory 37 (CVE-2013-0154) - Hypervisor crash due to incorrect ASSERT (debug build only))
  - From: Keir Fraser

Prev by Date: Re: [Xen-devel] Is it possible to follow a rebooted domain (with a different ID)?
Next by Date: Re: [Xen-devel] [PATCH] fix wrong path while calling pygrub and libxl-save-helper
Previous by thread: Re: [Xen-devel] Security support for debug=y builds (Was Re: Xen Security Advisory 37 (CVE-2013-0154) - Hypervisor crash due to incorrect ASSERT (debug build only))
Next by thread: Re: [Xen-devel] Security support for debug=y builds (Was Re: Xen Security Advisory 37 (CVE-2013-0154) - Hypervisor crash due to incorrect ASSERT (debug build only))
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.