1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
|
<?xml version='1.0' encoding="UTF-8"?>
<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
<guide link="/security/en/index.xml">
<title>Gentoo Linux Security</title>
<author title="Author">
<mail link="solar@gentoo.org">Ned Ludd</mail>
</author>
<author title="Author">
<mail link="klieber@gentoo.org">Kurt Lieber</mail>
</author>
<author title="Author">
<mail link="koon@gentoo.org">Thierry Carrez</mail>
</author>
<abstract>
This page is the entry point for all Gentoo Linux security concerns.
</abstract>
<!-- The content of this document is licensed under the CC-BY-SA license -->
<!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
<license/>
<version>2.3</version>
<date>2009-04-14</date>
<chapter>
<title>Security in Gentoo Linux</title>
<section>
<body>
<p>
Security is a primary focus of Gentoo Linux and ensuring the confidentiality
and security of our users machines is of utmost importance to us. The
<uri link="/proj/en/security/">Gentoo Linux Security Project</uri>
is tasked with providing timely information about security vulnerabilities
in Gentoo Linux, along with patches to secure those vulnerabilities. We work
directly with vendors, end users and other OSS projects to ensure all
security incidents are responded to quickly and professionally.
</p>
<p>
You can find a document describing the policy the security team follows to
treat the vulnerabilities found in the Gentoo Linux distribution on the
<uri link="/security/en/vulnerability-policy.xml">Vulnerability Treatment
Policy</uri> page.
</p>
</body>
</section>
<section>
<title>Installing a secure Gentoo system</title>
<body>
<p>
The <uri link="/doc/en/security/">Gentoo Security Handbook</uri>
gives information and tips for building a secure system and hardening
existing systems.
</p>
</body>
</section>
<section>
<title>Keeping your Gentoo system secure</title>
<body>
<p>
To stay up-to-date with the security fixes you should subscribe to receive
GLSAs and apply GLSA instructions whenever you have an affected package
installed. Alternatively, syncing your portage tree and upgrading every package
should also keep you up-to-date security-wise.
</p>
<p>
Integration of security-only updates in Portage tools is underway. In the mean
time, you can try our experimental <c>glsa-check</c> tool (part of the
<e>gentoolkit</e> package) to check if a specific GLSA applies to your system
(<c>-p</c> option), list all GLSAs with applied/affected/unaffected status
(<c>-l</c> option) or apply a given GLSA to your system (<c>-f</c> option).
</p>
</body>
</section>
</chapter>
<chapter>
<title>Gentoo Linux Security Announcements (GLSAs)</title>
<section>
<body>
<p>
Gentoo Linux Security Announcements are notifications that we send out to
the community to inform them of security vulnerabilities related to Gentoo
Linux or the packages contained in our portage repository.
</p>
</body>
</section>
<section>
<title>Recent Advisories</title>
<body>
<glsa-latest/>
<p>For a full list of all published GLSAs, please see our
<uri link="/security/en/glsa/index.xml">GLSA index page</uri>.
</p>
</body>
</section>
<section>
<title>How to receive GLSAs</title>
<body>
<p>
GLSA announcements are sent to the
<uri link="/main/en/lists.xml">gentoo-announce@gentoo.org mailing-list</uri>,
and as a RDF feed available at
<uri link="/rdf/en/glsa-index.rdf">http://www.gentoo.org/rdf/en/glsa-index.rdf</uri>.
</p>
</body>
</section>
</chapter>
<chapter>
<title>Security Team contact information</title>
<section>
<body>
<p>
Gentoo Linux takes security vulnerability reports very seriously.
Please file new vulnerability reports on
<uri link="https://bugs.gentoo.org">Gentoo Bugzilla</uri>
and assign them to the <e>Gentoo Security</e> product and
<e>Vulnerabilities</e> component. Click
<uri link="https://bugs.gentoo.org/enter_bug.cgi?product=Gentoo%20Security&component=Vulnerabilities">here</uri>
to directly submit a new security vulnerability.
The Gentoo Linux Security Team will ensure all security-related
bug reports are responded to in a timely fashion.
</p>
<p>
If you find errors or omissions in published GLSAs, you should also file a
bug in <uri link="https://bugs.gentoo.org">Gentoo Bugzilla</uri> in the
<e>Gentoo Security</e> product, but with <e>GLSA Errors</e> component. Click
<uri link="https://bugs.gentoo.org/enter_bug.cgi?product=Gentoo%20Security&component=GLSA%20Errors">here</uri>
to directly submit a new GLSA bug.
</p>
</body>
</section>
<section>
<title>Confidential contacts</title>
<body>
<p>
You have two options to submit non-public vulnerabilities to the Gentoo Linux
Security Team. You may submit a bug in
<uri link="https://bugs.gentoo.org/">Gentoo Bugzilla</uri>
using the <e>New-Expert</e> action, or the <e>Enter a new bug report (advanced)</e> link, and check the
<e>Gentoo Security</e> checkbox in the <e>Only users in all of the selected
groups can view this bug</e> section. You may also contact directly using
encrypted mail one of the following security contacts:
</p>
<table>
<tr>
<th>Name</th>
<th>Responsability</th>
<th>Email</th>
<th>GPG keyID (click to retrieve public key)</th>
</tr>
<tr>
<ti>Robert Buchholz</ti>
<ti>Operational co-manager</ti>
<ti><mail link="rbu@gentoo.org">rbu@gentoo.org</mail></ti>
<ti><uri link="http://subkeys.pgp.net:11371/pks/lookup?op=get&search=0xCE7E8339">0xCE7E8339</uri></ti>
</tr>
<tr>
<ti>Pierre-Yves Rofes</ti>
<ti>Operational co-manager</ti>
<ti><mail link="py@gentoo.org">py@gentoo.org</mail></ti>
<ti><uri link="http://subkeys.pgp.net:11371/pks/lookup?op=get&search=0x320A2398">0x320A2398</uri></ti>
</tr>
</table>
<note>You can see a full list of Gentoo developers, including their GPG key ID on our <uri link="/proj/en/devrel/roll-call/userinfo.xml">list of active developers</uri></note>
</body>
</section>
</chapter>
<chapter>
<title>Resources</title>
<section>
<title>Security pages</title>
<body>
<ul>
<li><uri link="/security/en/glsa/index.xml">GLSA index page</uri>
-- Full list of all published GLSAs</li>
<li><uri link="/rdf/en/glsa-index.rdf">GLSA RDF feed</uri>
-- GLSA RDF live feed. You can limit the number of GLSAs shown by appending "?num=n" to the URL, where "n" needs to be replaced
with the number of entries you want. For example
<uri link="http://www.gentoo.org/rdf/en/glsa-index.rdf?num=20">http://www.gentoo.org/rdf/en/glsa-index.rdf?num=20</uri> will list
the last 20 GLSAs.</li>
<li><uri link="/security/en/vulnerability-policy.xml">Vulnerability Treatment Policy</uri>
-- The official policy the Security Team follows</li>
<li><uri link="/proj/en/security/">Gentoo Linux Security Project</uri>
-- The security project page</li>
</ul>
</body>
</section>
<section>
<title>Links</title>
<body>
<ul>
<li><uri link="/doc/en/security/">Gentoo Security Handbook</uri>
-- Step-by-step guide for hardening Gentoo Linux</li>
<li><uri link="/proj/en/hardened/">Gentoo Hardened Project</uri>
-- Bringing advanced security to Gentoo Linux</li>
<li><uri link="/proj/en/server/">Gentoo Server Project</uri>
-- Focusing on server-specific issues, such as security and stability</li>
<li><uri link="/proj/en/devrel/roll-call/userinfo.xml">Active Developer List</uri>
-- Active Developer List including GPG keys which can be used to verify GLSAs</li>
</ul>
</body>
</section>
</chapter>
</guide>
|
GitWeb