A little while ago I proposed separating out our Security Advisories. What I would now like to do is create an *extra* page in the www/ repo listing (and in a couple of mutt cases creating[1]) advisories from 1st September when BLFS-10.0 was released.
For changes to the books I would create a branch, but for security advisories, just as for errata, the page needs to be visible on the main LFS website otherwise the links will not work (at least in my case, where I have separate repos for LFS, BLFS and www2). So, I'd like to add an extra page with a bit more detail and crucially showing that Seamonkeyi as an example has had 5 advisories (one was a change to the patch we were using). If this flies, I suggest that eventually we reserve the Errata for things which are not vulnerabilities, and at the end of the Errata page add a link to the new BLFS Security Advisories page. I'm thinking the format will be something like the following (not necessarily what I originally suggested). (title: BLFS Security Advisories from September 2020 onwards) (heading: BLFS-10.0 was released on 2020/09/01 - intersperse a new heading for each release) For each advisory: something like (not sure how this will look, detail may change a bit, maybe initially with variations in the layout for people to form opinions on what looks best) SA 20YYMMNN Vulnerabilities in FuBar before version 1.2.3. (some details, according to what is available for individual advisories.) (possible links to CVEs or other notifications - sometimes there might be several CVEs) To fix this, (either: mention some workaround, or) update to FuBar-1.2.3 or later using the instructions in the development books: [link for sysv labelled as FuBar (sysv)] [link for systemd labelled as FuBar (systemd)] NB link labels will NOT include versions, and if a package is only in one book, the link for the other book would be marked as 'N/A'. So, for e.g. firefox there would be several advisories, some also for JS78, but all linking to the current development version (and perhaps on release those should link to the version in the released book). In some cases the instructions may differ, e.g. for gstreamer in October we told people to use the 1.16.3 series with the instructions from the 10.0 book because 1.18 would break things. Although the page will be on the lfs website, during this prototyping it will not be linked from other pages - I'll post here when I have something for people to review. There are "rather a lot" of items since 10.0 was released. Our main security guy is Doug, so I'd like to get his opinion before I start, together with any views of "No, because ...". I'm guessing the page should be at http://www.linuxfromscratch.org/blfs/advisories/index.html to fit in with blfs/errata/stable/index.html and stable-systemd/index.html. If this flies, perhaps also a direct link from http://www.linuxfromscratch.org/blfs/read.html e.g. "Security Advisories". ĸen 1. The patch for 2.0.4 had a CVE although the maintainer and reporter were ok without giving it one, and 2.0.5 has another similar fix without a CVE, so both probably deserve advisories. -- The right of the people to keep and arm Bears, shall not be infringed. -- http://lists.linuxfromscratch.org/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
