Orange Pi5 kernel

Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards

3 Commits   0 Branches   0 Tags
Index
Trunk
Branches
Tags
Trunk
Branches
Tags
Home page
Home page
orangepi/linux-orangepi-5.10.y.git/trunk/Documentation/admin-guide/security-bugs.rst 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  1) .. _securitybugs:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  2) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  3) Security bugs
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  4) =============
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  5) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  6) Linux kernel developers take security very seriously.  As such, we'd
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  7) like to know when a security bug is found so that it can be fixed and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  8) disclosed as quickly as possible.  Please report security bugs to the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  9) Linux kernel security team.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 10) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 11) Contact
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 12) -------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 13) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 14) The Linux kernel security team can be contacted by email at
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 15) <security@kernel.org>.  This is a private list of security officers
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 16) who will help verify the bug report and develop and release a fix.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 17) If you already have a fix, please include it with your report, as
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 18) that can speed up the process considerably.  It is possible that the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 19) security team will bring in extra help from area maintainers to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 20) understand and fix the security vulnerability.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 21) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 22) As it is with any bug, the more information provided the easier it
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 23) will be to diagnose and fix.  Please review the procedure outlined in
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 24) :doc:`reporting-bugs` if you are unclear about what
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 25) information is helpful.  Any exploit code is very helpful and will not
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 26) be released without consent from the reporter unless it has already been
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 27) made public.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 28) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 29) Please send plain text emails without attachments where possible.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 30) It is much harder to have a context-quoted discussion about a complex
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 31) issue if all the details are hidden away in attachments.  Think of it like a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 32) :doc:`regular patch submission <../process/submitting-patches>`
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 33) (even if you don't have a patch yet): describe the problem and impact, list
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 34) reproduction steps, and follow it with a proposed fix, all in plain text.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 35) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 36) Disclosure and embargoed information
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 37) ------------------------------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 38) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 39) The security list is not a disclosure channel.  For that, see Coordination
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 40) below.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 41) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 42) Once a robust fix has been developed, the release process starts.  Fixes
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 43) for publicly known bugs are released immediately.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 44) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 45) Although our preference is to release fixes for publicly undisclosed bugs
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 46) as soon as they become available, this may be postponed at the request of
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 47) the reporter or an affected party for up to 7 calendar days from the start
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 48) of the release process, with an exceptional extension to 14 calendar days
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 49) if it is agreed that the criticality of the bug requires more time.  The
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 50) only valid reason for deferring the publication of a fix is to accommodate
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 51) the logistics of QA and large scale rollouts which require release
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 52) coordination.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 53) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 54) While embargoed information may be shared with trusted individuals in
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 55) order to develop a fix, such information will not be published alongside
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 56) the fix or on any other disclosure channel without the permission of the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 57) reporter.  This includes but is not limited to the original bug report
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 58) and followup discussions (if any), exploits, CVE information or the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 59) identity of the reporter.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 60) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 61) In other words our only interest is in getting bugs fixed.  All other
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 62) information submitted to the security list and any followup discussions
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 63) of the report are treated confidentially even after the embargo has been
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 64) lifted, in perpetuity.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 65) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 66) Coordination
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 67) ------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 68) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 69) Fixes for sensitive bugs, such as those that might lead to privilege
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 70) escalations, may need to be coordinated with the private
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 71) <linux-distros@vs.openwall.org> mailing list so that distribution vendors
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 72) are well prepared to issue a fixed kernel upon public disclosure of the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 73) upstream fix. Distros will need some time to test the proposed patch and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 74) will generally request at least a few days of embargo, and vendor update
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 75) publication prefers to happen Tuesday through Thursday. When appropriate,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 76) the security team can assist with this coordination, or the reporter can
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 77) include linux-distros from the start. In this case, remember to prefix
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 78) the email Subject line with "[vs]" as described in the linux-distros wiki:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 79) <http://oss-security.openwall.org/wiki/mailing-lists/distros#how-to-use-the-lists>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 80) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 81) CVE assignment
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 82) --------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 83) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 84) The security team does not normally assign CVEs, nor do we require them
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 85) for reports or fixes, as this can needlessly complicate the process and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 86) may delay the bug handling. If a reporter wishes to have a CVE identifier
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 87) assigned ahead of public disclosure, they will need to contact the private
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 88) linux-distros list, described above. When such a CVE identifier is known
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 89) before a patch is provided, it is desirable to mention it in the commit
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 90) message if the reporter agrees.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 91) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 92) Non-disclosure agreements
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 93) -------------------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 94) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 95) The Linux kernel security team is not a formal body and therefore unable
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 96) to enter any non-disclosure agreements.
cGit-ui 0.1.7
Git 2.40.0
Nginx 1.22.1

Where any material of this site is being reproduced, published or issued to others the reference to the source is obligatory.

© Andrey V. Kosteltsev, 2019 – 2025.