| Content-type: text/asciidoc |
| Abstract: When a critical vulnerability is discovered and fixed, we follow this |
| script to coordinate a public release. |
| |
| How we coordinate embargoed releases |
| ==================================== |
| |
| To protect Git users from critical vulnerabilities, we do not just release |
| fixed versions like regular maintenance releases. Instead, we coordinate |
| releases with packagers, keeping the fixes under an embargo until the release |
| date. That way, users will have a chance to upgrade on that date, no matter |
| what Operating System or distribution they run. |
| |
| Open a Security Advisory draft |
| ------------------------------ |
| |
| The first step is to https://github.com/git/git/security/advisories/new[open an |
| advisory]. Technically, it is not necessary, but it is convenient and saves a |
| bit of hassle. This advisory can also be used to obtain the CVE number and it |
| will give us a private fork associated with it that can be used to collaborate |
| on a fix. |
| |
| Release date of the embargoed version |
| ------------------------------------- |
| |
| If the vulnerability affects Windows users, we want to have our friends over at |
| Visual Studio on board. This means we need to target a "Patch Tuesday" (i.e. a |
| second Tuesday of the month), at the minimum three weeks from heads-up to |
| coordinated release. |
| |
| If the vulnerability affects the server side, or can benefit from scans on the |
| server side (i.e. if `git fsck` can detect an attack), it is important to give |
| all involved Git repository hosting sites enough time to scan all of those |
| repositories. |
| |
| Notifying the Linux distributions |
| --------------------------------- |
| |
| At most two weeks before release date, we need to send a notification to |
| distros@vs.openwall.org, preferably less than 7 days before the release date. |
| This will reach most (all?) Linux distributions. See an example below, and the |
| guidelines for this mailing list at |
| https://oss-security.openwall.org/wiki/mailing-lists/distros#how-to-use-the-lists[here]. |
| |
| Once the version has been published, we send a note about that to oss-security. |
| As an example, see https://www.openwall.com/lists/oss-security/2019/12/13/1[the |
| v2.24.1 mail]; |
| https://oss-security.openwall.org/wiki/mailing-lists/oss-security[Here] are |
| their guidelines. |
| |
| The mail to oss-security should also describe the exploit, and give credit to |
| the reporter(s): security researchers still receive too little respect for the |
| invaluable service they provide, and public credit goes a long way to keep them |
| paid by their respective organizations. |
| |
| Technically, describing any exploit can be delayed up to 7 days, but we usually |
| refrain from doing that, including it right away. |
| |
| As a courtesy we typically attach a Git bundle (as `.tar.xz` because the list |
| will drop `.bundle` attachments) in the mail to distros@ so that the involved |
| parties can take care of integrating/backporting them. This bundle is typically |
| created using a command like this: |
| |
| git bundle create cve-xxx.bundle ^origin/master vA.B.C vD.E.F |
| tar cJvf cve-xxx.bundle.tar.xz cve-xxx.bundle |
| |
| Example mail to distros@vs.openwall.org |
| --------------------------------------- |
| |
| .... |
| To: distros@vs.openwall.org |
| Cc: git-security@googlegroups.com, <other people involved in the report/fix> |
| Subject: [vs] Upcoming Git security fix release |
| |
| Team, |
| |
| The Git project will release new versions on <date> at 10am Pacific Time or |
| soon thereafter. I have attached a Git bundle (embedded in a `.tar.xz` to avoid |
| it being dropped) which you can fetch into a clone of |
| https://github.com/git/git via `git fetch --tags /path/to/cve-xxx.bundle`, |
| containing the tags for versions <versions>. |
| |
| You can verify with `git tag -v <tag>` that the versions were signed by |
| the Git maintainer, using the same GPG key as e.g. v2.24.0. |
| |
| Please use these tags to prepare `git` packages for your various |
| distributions, using the appropriate tagged versions. The added test cases |
| help verify the correctness. |
| |
| The addressed issues are: |
| |
| <list of CVEs with a short description, typically copy/pasted from Git's |
| release notes, usually demo exploit(s), too> |
| |
| Credit for finding the vulnerability goes to <reporter>, credit for fixing |
| it goes to <developer>. |
| |
| Thanks, |
| <name> |
| |
| .... |
| |
| Example mail to oss-security@lists.openwall.com |
| ----------------------------------------------- |
| |
| .... |
| To: oss-security@lists.openwall.com |
| Cc: git-security@googlegroups.com, <other people involved in the report/fix> |
| Subject: git: <copy from security advisory> |
| |
| Team, |
| |
| The Git project released new versions on <date>, addressing <CVE>. |
| |
| All supported platforms are affected in one way or another, and all Git |
| versions all the way back to <version> are affected. The fixed versions are: |
| <versions>. |
| |
| Link to the announcement: <link to lore.kernel.org/git> |
| |
| We highly recommend to upgrade. |
| |
| The addressed issues are: |
| * <list of CVEs and their explanations, along with demo exploits> |
| |
| Credit for finding the vulnerability goes to <reporter>, credit for fixing |
| it goes to <developer>. |
| |
| Thanks, |
| <name> |
| .... |