BugTriage

Revision 2 as of 2009-01-26 21:31:35

Clear message

Introduction

The SecurityTeam processes bugs based on its workflows, and in general, most of the standard HowToTriage processes apply to triaging security bugs. Below are various items related to processing security bugs.

Reporting

  1. To report new private security bugs, please use Launchpad and check the "Security" flag.

  2. To mark an existing bug as a security issue, click the 'This report is public' link, and then check the 'This bug is a security bug' checkbox. Doing this alerts the SecurityTeam by subscribing the team to the bug. Do not assign ubuntu-security to the bug. You may optionally make the bug private at this point, but remember, all subscribers can still see the bug.

Triaging

Status

The status of a security bug is based on the following:

  • New: a new bug in need of triage.

  • Incomplete: more information is needed from the reporter.

  • Confirmed: the bug is a security vulnerability. Bugs in the confirmed state should usually have a CVE link in the bug.

  • Triaged: the vulnerability is understood, and a patch is needed. Bugs in the triaged state will most often have an upstream bug reference.

  • In Progress: a pending patch is attached to the bug report. A patch that requires more work will be downgraded to Triaged and should be marked back to In Progress after the contributor has resubmitted the patch. See SecurityUpdateProcedures for more information on submitting patches.

  • Fix Committed: the fix is in the Ubuntu Security PPA or in a proposed repository, pending publication.

  • Fix Released: the fix has been published to the security repository. Packages in main will also have a corresponding USN. Including the LP: #123456 bug identifier in the source changelog file will automatically mark a bug as Fix Released for all Ubuntu 6.10 (Edgy) and later when the package is uploaded. Ubuntu 6.06 LTS (Dapper) and earlier will need to have the status changed manually.

  • Invalid: the vulnerability does not affect this release.

Priority

Please see the ubuntu-cve-tracker README file (Ubuntu Priorities section) for details on what priority to set a bug. If unsure, leave as Undecided.

Releases

Usually, a security vulnerability affects multiple Ubuntu releases. When triaging, each affected release should be tracked individually by using the 'Nominate for release' from within the bug. Please only nominate those releases that are affected.

If the security vulnerability only applies to the development release, you do not need to use 'Nominate for release'.

Existing Bugs

CategoryProcess