Security: Difference between revisions

From Yocto Project
Jump to navigationJump to search
Line 31: Line 31:
'''How to Contact Yocto's security team Securely'''
'''How to Contact Yocto's security team Securely'''
---------------------------------------------
---------------------------------------------
Please send private vulnerability reports to '''security[at]yoctoprojct[dot]org'''.
Please send private vulnerability reports to '''security [at] yoctoprojct [dot] org'''.
   
   
For secure communications, send your messages encrypted to '''sona[dot]sarmadi[at]enea[dot]com''' using the following GPG key:
For secure communications, send your messages encrypted to '''sona [dot] sarmadi [at] enea [dot] com''' using the following GPG key:


Download public key: [https://pgp.mit.edu/pks/lookup?op=vindex&search=0x773EF6EF68716A14 pgp.mit.edu]
Download public key: [https://pgp.mit.edu/pks/lookup?op=vindex&search=0x773EF6EF68716A14 pgp.mit.edu]

Revision as of 09:37, 26 February 2015

Since the Yocto Project is intended to be flexible and meet the needs of many applications, we leave policy-making decisions around security to our end users. Our goal instead is to ship each release with metadata that follows best practices in that we do not release recipe versions which are known to have significant security vulnerabilities. Generally this is done by upgrading recipes to newer versions that are no longer vulnerable to these issues.

Upgrading recipes to the newer versions in the maintenance branches is not always easy, this is why we provide a patch for the existing version instead if we detect a vulnerability in a package. The patches are added to the recipes, see example below:

 poky/recipes-connectivity/bind/bind_9.9.5.bb
 
 SRC_URI = "ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
          file://conf.patch \
          ...
          file://bind9_9_5-CVE-2014-8500.patch \


We are tracking security vulnerabilities in the Yocto Project against the National Vulnerability Database.

We also track CVEs reported to the oss-security list (Open Source Software Security) http://www.openwall.com/lists/oss-security/


Yocto Security Team

The purpose of creating a security team in the Yocto project is to discuss, sync and organize security related activities.

The team's main responsibilities among others are:

  • Scanning of security forums/mailing list(s) to detect security vulnerabilities reported by community
  • Responsible for fixing CVEs in the Yocto releases & maintained branches
  • Evaluation of tools for security tests
  • Responsible for security related info in the Yocto documentations
  • Hardening of Yocto release


How to Contact Yocto's security team Securely


Please send private vulnerability reports to security [at] yoctoprojct [dot] org.

For secure communications, send your messages encrypted to sona [dot] sarmadi [at] enea [dot] com using the following GPG key:

Download public key: pgp.mit.edu

Anyone can contribute Yocto with security patches as before, but those volunteering to this security team will sync/organize security related activities and take more responsibility

Branches maintained with security fixes

Major version Current Version Branch name BitBake version Maintainer
1.7 1.7 dizzy 1.24 Armin Kuster <akuster808@gmail.com>
1.6 1.6.1 daisy 1.22 Saul Wold <sgw@linux.intel.com>
1.5 1.5.3 dora 1.20 Robert Yang <liezhi.yang@windriver.com>
1.4 1.4.3* dylan 1.18 Paul Eggleton <paul.eggleton@linux.intel.com>
1.3 1.3.2 danny 1.16 Ross Burton <ross.burton@intel.com>


All CVEs (security patches) should be backported to all branches above (if at all possible). Versions in grey are no longer actively maintained, but well-tested security patches may still be accepted for them.)


See Stable branches maintenancefor detailed info regarding the policies and maintenance of Stable branch

Kernel security patches

Kernel security patches are backported to Linux-yoco kernels regularly from https://www.kernel.org/

Linux-yocto

linux-yocto_3.10 & linux-yocto_3.14 (maintainer: Ross Burton)

Vendor kernels

Kernel security patches are also backported to Linux-vendor kernels from https://www.kernel.org/

  • meta-intel (meta-intel uses Linux-yocto)
  • meta-fsl-ppc (maintainer: xxx)
  • meta-fsl-arm (maintainer: xxx)
  • meta-xilinx (maintainer: xxx)
  • meta-ti (maintainer: xxx)
  • etc

How to test

If there is any test case for the vulnerability by the upstream project or community

- Run the test to reproduce the problem and verify the correction. 
- Run the regression test

If there isn’t any test case and it is complicated and time consuming to write a testcase

- Run the regressions test


Regression test

  • Build the core image for at least two architectures (preferably one big-endian and one little-endian)
  • Run ptest (for those branches/packages that there is ptest mechanism)

Patch name convention and commit message

Security patches should have reference to the CVE identifier both in the patch file/s and the commit comment.

Please make sure to add the package name in the subject and the reference to the CVE. Example for the commit comment:

   bash: CVE-2014-6278
   
   <short description>
   
   <[YOCTO #xxx] if there is any>
   
   References
   E.g. link to CVE or other useful info/blog/advisory.
   
   Signed-off-by: 
   

For additional guidelines refer to: Commit Patch Message Guidelines

Some security related links/useful tools

Security Issues Addressed in Yocto Releases

Yocto 1.7.1 - Dizzy https://www.yoctoproject.org/downloads/core/dizzy171

Yocto 1.7 - Dizzy https://www.yoctoproject.org/downloads/core/dizzy17

Yocto 1.6 - Daisy https://www.yoctoproject.org/downloads/core/daisy16