[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] RFC: Adding a section to the Xen security policy about what constitutes a vulnerability

>>> On 24.01.17 at 16:01, <George.Dunlap@xxxxxxxxxx> wrote:

>> On Jan 24, 2017, at 11:43 AM, Jan Beulich <jbeulich@xxxxxxxx> wrote:
>> 
>>>>> On 24.01.17 at 12:33, <ian.jackson@xxxxxxxxxxxxx> wrote:
>>> Jan Beulich writes ("Re: [Xen-devel] RFC: Adding a section to the Xen 
> security 
>>> policy about what constitutes a vulnerability"):
>>>> "If a bug requires a vulnerable operating system to be exploitable, the
>>>> Xen Security Team will pro-actively investigate the vulnerability of
>>>> the following open-source operating systems: Linux, OpenBSD, FreeBSD,
>>>> and NetBSD.  The security team will also test or otherwise investigate
>>>> the vulnerability of supported Windows versions, and it may also do so
>>>> for some other proprietary operating systems."
>>> 
>>> I don't think we can promise to come up with a definitely conclusion
>>> for any proprietary system, can we ?  Answering such a question for
>>> Windows is not within our power because we don't have the source code.
>> 
>> Well - see George's original mail, which the above was a reply to.
>> He has suggested that there's enough knowledge around.
>> 
>>> The question, which the above text leaves unclear, is, what do we do
>>> if we aren't sure whether there are configurations of Windows which
>>> have the exposed behaviour.
>> 
>> I think I had given my opinion on this in an earlier mail: If in doubt,
>> we ought to issue an advisory.
> 
> And my response (in not so many words) was that the statement, “If in doubt 
> we ought to issue an advisory” is too black-and-white, and (it seems to me) 
> will probably always result in an advisory being issued; thus making the 
> whole discussion moot.  
> 
> But perhaps we’re using the word “doubt” a bit differently.  In the case of 
> XSA-176 and 192, for instance, would you have said that we had any doubts 
> about whether Windows was vulnerable?

For 192 - no. For 176 I wouldn't be that sure.

> In any case, I don’t think the text as proposed promises to come up with a 
> definite conclusion for *any* operating system; what it promises is to “test” 
> or “investigate”.  I think that is certainly something we should be able to 
> promise to do. 

I agree, but I had got the impression that this was too little / weak
for Ian.

Jan

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.