[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] RFC: Adding a section to the Xen security policy about what constitutes a vulnerability

> On Jan 24, 2017, at 11:43 AM, Jan Beulich <jbeulich@xxxxxxxx> wrote:
> 
>>>> On 24.01.17 at 12:33, <ian.jackson@xxxxxxxxxxxxx> wrote:
>> Jan Beulich writes ("Re: [Xen-devel] RFC: Adding a section to the Xen 
>> security 
>> policy about what constitutes a vulnerability"):
>>> "If a bug requires a vulnerable operating system to be exploitable, the
>>> Xen Security Team will pro-actively investigate the vulnerability of
>>> the following open-source operating systems: Linux, OpenBSD, FreeBSD,
>>> and NetBSD.  The security team will also test or otherwise investigate
>>> the vulnerability of supported Windows versions, and it may also do so
>>> for some other proprietary operating systems."
>> 
>> I don't think we can promise to come up with a definitely conclusion
>> for any proprietary system, can we ?  Answering such a question for
>> Windows is not within our power because we don't have the source code.
> 
> Well - see George's original mail, which the above was a reply to.
> He has suggested that there's enough knowledge around.
> 
>> The question, which the above text leaves unclear, is, what do we do
>> if we aren't sure whether there are configurations of Windows which
>> have the exposed behaviour.
> 
> I think I had given my opinion on this in an earlier mail: If in doubt,
> we ought to issue an advisory.

And my response (in not so many words) was that the statement, “If in doubt we 
ought to issue an advisory” is too black-and-white, and (it seems to me) will 
probably always result in an advisory being issued; thus making the whole 
discussion moot.  

But perhaps we’re using the word “doubt” a bit differently.  In the case of 
XSA-176 and 192, for instance, would you have said that we had any doubts about 
whether Windows was vulnerable?

In any case, I don’t think the text as proposed promises to come up with a 
definite conclusion for *any* operating system; what it promises is to “test” 
or “investigate”.  I think that is certainly something we should be able to 
promise to do. 

 -George
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.