Difference between revisions of "SVG:General Advisory Template"
Jump to navigation
Jump to search
Line 3: | Line 3: | ||
<pre> | <pre> | ||
(Revised | (Revised 5th February 2016) | ||
< E-mail title - as Title > | < E-mail title - as Title > | ||
Line 13: | Line 13: | ||
< Title should include software affected> | < Title should include software affected> | ||
< If applicable, a CVE number or the like should be included > | < If applicable, a CVE number or the like should be included > | ||
< The title should be used as mail subject, and on the wiki, but not included in mail itself.> | < The title should be used as mail subject, and on the wiki, but not included in mail itself. > | ||
< The date should only be used on the wiki too > | < The date should only be used on the wiki too > | ||
< So then the e-mail starts with the TLP followed by affected software and risk. | < So then the e-mail starts with the TLP followed by affected software and risk. | ||
Title: EGI SVG Advisory <RISK> risk <cve, software, other info > [EGI-SVG-<year>-<RT-number>] | |||
Title: EGI SVG Advisory [TLP:<Choose TLP colour>]<RISK> risk <cve, software, other info > [EGI-SVG-<year>-<RT-number>] | |||
Date: <date yyyy-mm-dd> <1st released> | Date: <date yyyy-mm-dd> <1st released> | ||
Line 24: | Line 25: | ||
< Choose proper TLP color > | < Choose proper TLP color > | ||
** WHITE information - Unlimited distribution | ** WHITE information - Unlimited distribution - see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions*** | ||
** GREEN information - Community wide distribution ** or | or | ||
** AMBER information - Limited distribution | |||
** RED information - Personal for Named Recipients Only | ** GREEN information - Community wide distribution - see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** | ||
or | |||
** or | |||
** AMBER information - Limited distribution - see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** | |||
or | |||
** RED information - Personal for Named Recipients Only - see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** | |||
Affected Software and Risk | Affected Software and Risk | ||
========================== | ========================== | ||
<CRITICAL/HIGH/MODERATE/LOW> risk vulnerability concerning <software> | <CRITICAL/HIGH/MODERATE/LOW> risk vulnerability concerning <software/package> | ||
Package :<Name of package> | |||
CVE ID :<Include CVE's if present> | |||
Bug ID :<Any identifier by package provider if applicable> | |||
<A few sentences describing the problem > <It was found that SillySoftware exposes users to unhealthy levels of cute cat pictures. Dog lovers are not at risk. The exposure is present in versions up to 11.> | |||
Actions Required/Recommended | Actions Required/Recommended | ||
Line 50: | Line 65: | ||
<(For critical) All running resources MUST be either patched or have mitigation | <(For critical) All running resources MUST be either patched or have mitigation | ||
in place by yyyy-mm-dd T21:00+01:00. | in place or software removed by yyyy-mm-dd T21:00+01:00. > | ||
Sites failing to act and/or failing to respond to requests from the EGI CSIRT team risk site suspension. | Sites failing to act and/or failing to respond to requests from the EGI CSIRT team risk site suspension. | ||
<7 calendar days - but if the date falls on a Friday or common public holiday, | <7 calendar days - but if the date falls on a Friday or common public holiday, | ||
make it the first working day after people are expected back> | make it the first working day after people are expected back> | ||
Affected software Details. | |||
========================== | |||
<This can be ommitted if the situation is sufficiently simple to include version info in the Affected software and risk. For example this may be included if it is quite complex which versions of e.g. Linux are affected.> | |||
<e.g. which version(s) of Linux are effected> | |||
<e.g. which middleware component is effected within gLite/ARC/Unicore/Globus/Other> | |||
More information | More information | ||
Line 63: | Line 86: | ||
<Describe the reason for the issuing of this advisory> | <Describe the reason for the issuing of this advisory> | ||
< A vulnerability has been found in <xxx> software which is part of the <yyy> | < A vulnerability has been found in <xxx> software which is part of the <yyy> distribution.> | ||
distribution.> | |||
<this could include - e.g. updated as patch available> | <this could include - e.g. updated as patch available> | ||
Line 74: | Line 95: | ||
<In the case of announced vulnerabilities, simply a reference to the SW provider's info may be sufficient.> | <In the case of announced vulnerabilities, simply a reference to the SW provider's info may be sufficient.> | ||
Line 98: | Line 111: | ||
repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD). | repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD). | ||
Sites using the EGI UMD 3 should see: | Sites using the EGI UMD 3 should see: | ||
Line 107: | Line 119: | ||
http://www.eu-emi.eu/releases/emi-3-monte-bianco/updates/ | http://www.eu-emi.eu/releases/emi-3-monte-bianco/updates/ | ||
OR | OR | ||
Line 117: | Line 128: | ||
https://fedoraproject.org/wiki/EPEL | https://fedoraproject.org/wiki/EPEL | ||
Line 141: | Line 151: | ||
<Put on Wiki for WHITE information only> | <Put on Wiki for WHITE information only> | ||
<(If not public and High or Critical) - This advisory will be placed on the wiki on or after yyyy-mm-dd (2 weeks later) > | <(If not public and High or Critical) - This advisory will be placed on the wiki on or after yyyy-mm-dd (2 weeks later). There may be other reasons why not public. > | ||
URL: | URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-<year>-<RT-number> or | ||
URL: https://wiki.egi.eu/wiki/SVG:Advisory-<CVE ID> | |||
Minor updates may be made without re-distribution to the sites | Minor updates may be made without re-distribution to the sites | ||
Credit | Credit | ||
Line 156: | Line 166: | ||
SVG was alerted to this vulnerability by <if applicable - person who alerts SVG to a vulnerability> | SVG was alerted to this vulnerability by <if applicable - person who alerts SVG to a vulnerability> | ||
References | References | ||
Line 170: | Line 179: | ||
Comments or questions should be sent to svg-rat at mailman.egi.eu | Comments or questions should be sent to svg-rat at mailman.egi.eu | ||
Timeline | Timeline | ||
Line 185: | Line 193: | ||
2016-??-?? Advisory/Alert sent to sites | 2016-??-?? Advisory/Alert sent to sites | ||
2016-??-?? Public disclosure | 2016-??-?? Public disclosure | ||
On behalf of the EGI SVG, | On behalf of the EGI SVG, | ||
</pre> | </pre> |
Revision as of 11:55, 5 February 2016
Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
General Advisory Template
(Revised 5th February 2016) < E-mail title - as Title > <add or delete sections as needed> < Fill in advisory number, title, date, and URL(if WHITE)> < Title should include the RISK rating (e. g. CRITICAL, HIGH, ...)> < Title should include software affected> < If applicable, a CVE number or the like should be included > < The title should be used as mail subject, and on the wiki, but not included in mail itself. > < The date should only be used on the wiki too > < So then the e-mail starts with the TLP followed by affected software and risk. Title: EGI SVG Advisory [TLP:<Choose TLP colour>]<RISK> risk <cve, software, other info > [EGI-SVG-<year>-<RT-number>] Date: <date yyyy-mm-dd> <1st released> Updated: <date yyyy-mm-dd> < Choose proper TLP color > ** WHITE information - Unlimited distribution - see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions*** or ** GREEN information - Community wide distribution - see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** or ** or ** AMBER information - Limited distribution - see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** or ** RED information - Personal for Named Recipients Only - see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** Affected Software and Risk ========================== <CRITICAL/HIGH/MODERATE/LOW> risk vulnerability concerning <software/package> Package :<Name of package> CVE ID :<Include CVE's if present> Bug ID :<Any identifier by package provider if applicable> <A few sentences describing the problem > <It was found that SillySoftware exposes users to unhealthy levels of cute cat pictures. Dog lovers are not at risk. The exposure is present in versions up to 11.> Actions Required/Recommended ============================ <as appropriate e.g.> <Sites are required to immediately apply the mitigation described below to all user-accessible systems.> <Sites running xxx are required to urgently apply vendor kernel updates.> <Sites running yyy are required to urgently install new version> <Sites are recommended to update relevant components as soon as it is convenient> <(For critical) All running resources MUST be either patched or have mitigation in place or software removed by yyyy-mm-dd T21:00+01:00. > Sites failing to act and/or failing to respond to requests from the EGI CSIRT team risk site suspension. <7 calendar days - but if the date falls on a Friday or common public holiday, make it the first working day after people are expected back> Affected software Details. ========================== <This can be ommitted if the situation is sufficiently simple to include version info in the Affected software and risk. For example this may be included if it is quite complex which versions of e.g. Linux are affected.> <e.g. which version(s) of Linux are effected> <e.g. which middleware component is effected within gLite/ARC/Unicore/Globus/Other> More information ================ <Describe the reason for the issuing of this advisory> < A vulnerability has been found in <xxx> software which is part of the <yyy> distribution.> <this could include - e.g. updated as patch available> <include cve- number if one has been issued> <describe the problem, something about why it occurs, and the effect on sites> <In the case of announced vulnerabilities, simply a reference to the SW provider's info may be sufficient.> Mitigation ========== <Describe mitigation to carry out - this may be to run a script> < If possible, include either a script and/or include command lines> Component installation information ================================== The official repository for the distribution of grid middleware for EGI sites is repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD). Sites using the EGI UMD 3 should see: http://repository.egi.eu/category/umd_releases/distribution/umd-3/ Sites who wish to install directly from the EMI release should see: http://www.eu-emi.eu/releases/emi-3-monte-bianco/updates/ OR Please note that XXX is no longer maintained in the EMI repository. XXX is now also available in EPEL https://fedoraproject.org/wiki/EPEL <e.g. patch not yet available> <e.g. patch available from vendor for x system but not y> <e.g. pointer to UMD release > OR <References to appropriate other software.> OR <List vendors who have already announced patches with references> URL === <Put on Wiki for WHITE information only> <(If not public and High or Critical) - This advisory will be placed on the wiki on or after yyyy-mm-dd (2 weeks later). There may be other reasons why not public. > URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-<year>-<RT-number> or URL: https://wiki.egi.eu/wiki/SVG:Advisory-<CVE ID> Minor updates may be made without re-distribution to the sites Credit ====== This vulnerability was reported by <if applicable - person who discovers vulnerability> or SVG was alerted to this vulnerability by <if applicable - person who alerts SVG to a vulnerability> References ========== <Any references to the vulnerability> <refer to any public disclosure> <e.g. Linux vendors info> <any other info on the problem> Comments ======== Comments or questions should be sent to svg-rat at mailman.egi.eu Timeline ======== Yyyy-mm-dd [EGI-SVG-<year>-<RT-number>] 2016-??-?? Vulnerability reported by <name1> or SVG alerted to this issue by <name1> 2016-??-?? Acknowledgement from the EGI SVG to the reporter 2016-??-?? (if appropriate) Software providers responded and involved in investigation 2016-??-?? Investigation of vulnerability and relevance to EGI carried out by (as appropriate) 2016-??-?? EGI SVG Risk Assessment completed 2016-??-?? (if appropriate)Assessment by the EGI Software Vulnerability Group reported to the software providers 2016-??-?? Updated packages available <in the EGI UMD/other location> 2016-??-?? Advisory/Alert sent to sites 2016-??-?? Public disclosure On behalf of the EGI SVG,
| RAT Issue Handling Instructions | RAT Issue Handling Templates | RAT Issue Handling Templates contd | SVG-CSIRT Critical Notes | Advisory Template |
| Issue Handling Summary | Reporters | SVG View | Software Providers | EGI MW Unit | Deployment | Notes on Risk |