[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH] security-process.pandoc: Statement on issuing XSAs for older versions of Xen

We recently had a situation where a security issue was discovered
which only affected versions of Xen out of security support from an
upstream perspective.  However, many downstreams (including XenServer
and SUSE) still had supported products based on the versions affected.

Specify what the security team will do in this situation in the
future.  As always, the goal here is to be fair and helpful, without
adding to the workload of the security team.  Inviting downstreams to
list versions and ranges, as well as expecting them to be involved in
the patch, gives organizations without representation in the security
team the opportunity to decide to engage in the security process.  At
the same time, it puts he onus of determining which products and which
versions might be affected, as well as the core work of creating and
testing a patch, on downstreams.

Signed-off-by: George Dunlap <george.dunlap@xxxxxxxxx>
---
The entire security-process.pandoc file can be found here:

https://gitlab.com/xen-project/people/gdunlap/old-governance
---
 security-policy.pandoc | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/security-policy.pandoc b/security-policy.pandoc
index 76c25e1..23b6381 100644
--- a/security-policy.pandoc
+++ b/security-policy.pandoc
@@ -30,6 +30,20 @@ Vulnerabilities reported against other Xen Project teams 
will be handled on a
 best effort basis by the relevant Project Lead together with the Security
 Response Team.
 
+The Xen Project Security Team will issue XSAs, including patches, for
+all upstream versions of the Xen Project Hypervisor currently under
+security support.
+
+It is often the case that downstreams have a longer product support
+lifecycle than upstream Xen provides.  Downstreams are invited to
+inform the security team of the Xen version and support window of
+these products.  If a security issue is discovered which does not
+affect upstream "security supported" versions, but does (or may)
+affect a supported product containing one of these older versions, the
+downstreams will be informed privately.  If at least one of the
+downstreams chooses to participate in the development of a patch, then
+an XSA will be issued according to our normal process.
+
 Specific process
 ----------------
 
-- 
2.42.0

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.