[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] [Xen-devel] Security support for debug=y builds (Was Re: Xen Security Advisory 37 (CVE-2013-0154) - Hypervisor crash due to incorrect ASSERT (debug build only))

  • To: Ian Campbell <ijc@xxxxxxx>, "xen-devel@xxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxx>, xen-users <xen-users@xxxxxxxxxxxxx>
  • From: Keir Fraser <keir@xxxxxxx>
  • Date: Mon, 07 Jan 2013 11:08:20 +0000
  • Delivery-date: Mon, 07 Jan 2013 11:09:47 +0000
  • List-id: Xen user discussion <xen-users.lists.xen.org>
  • Thread-index: Ac3sx00c+rxjF43J9Em2Q72NA6S8AA==
  • Thread-topic: [Xen-devel] Security support for debug=y builds (Was Re: Xen Security Advisory 37 (CVE-2013-0154) - Hypervisor crash due to incorrect ASSERT (debug build only))

On 07/01/2013 10:21, "Ian Campbell" <ijc@xxxxxxx> wrote:

> On Fri, 2013-01-04 at 16:01 +0000, Xen.org security team wrote:
>>      Hypervisor crash due to incorrect ASSERT (debug build only)
> While dealing with this issue the security team was faced with the
> question as to whether bugs which are exposed only in debug=y builds
> should be considered security relevant (i.e. would normally require an
> embargo period, a full advisory, etc).
> The Security Response Policy[0] does not offer any guidance on this
> issue. We concluded that we should treat this issue as a normal Security
> issue and then seek guidance from the community as to what we should do
> in the future.
> So what are your expectations for security sensitive bugs which only
> affect debug builds? Note that debugging is disabled by default and that
> we would recommended running non-debug builds in production.
> Options which I can think of are:
>       * debug=y bugs are Just Bugs and not security issues. i.e. they
>         are discussed and fixed publicly on xen-devel and the fix is
>         checked in in the usual way. There is no embargo or specific
>         announcement. changelog may or may not refer to the security
>         implications if debug=y is enabled.

This is my preference. I consider debug builds to be developer builds, and
wouldn't expect to see them used in production environments. We set debug=n
by default in our stable branches for that reason.

 -- Keir

>       * debug=y bugs are security issues regardless, they are treated
>         like any other security issue, i.e. following the process[0].
>       * debug=y bugs are somewhere in the middle. (perhaps no embargo,
>         less formal announcement etc etc)
>       * ...
> Any input appreciated. I will draft a process update as necessary based
> on the response.
> Ian.
> [0] http://www.xen.org/projects/security_vulnerability_process.html
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@xxxxxxxxxxxxx
> http://lists.xen.org/xen-devel

Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.