Difference between revisions of "SVG:General Advisory Template"
Jump to navigation
Jump to search
Line 2: | Line 2: | ||
<pre> | <pre> | ||
E-mail title - as Title | |||
<add or delete sections as needed> | <add or delete sections as needed> | ||
Line 21: | Line 22: | ||
EGI CSIRT ADVISORY [EGI-ADV-yyyymmdd] or | EGI CSIRT ADVISORY [EGI-ADV-yyyymmdd] or | ||
EGI SVG ADVISORY [EGI-SVG- | EGI SVG ADVISORY [EGI-SVG-yyyy-<Rt no>] | ||
Title: < | Title: EGI SVG Advisory <risk> RISK - <refer to any CVE number and include name software for csirt - [EGI-ADV-YYYYMMDD] for [SVG EGI-SVG-YYYY-RTno > | ||
> | |||
Date: <date yyyy-mm-dd> | Date: <date yyyy-mm-dd> | ||
Updated: <date yyyy-mm-dd> | Updated: <date yyyy-mm-dd> | ||
Line 32: | Line 31: | ||
URL: https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/<xxx>-yyyy-mm-dd or | URL: https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/<xxx>-yyyy-mm-dd or | ||
URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-<yyyy>-<number> | URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-<yyyy>-<number> | ||
Introduction | Introduction | ||
Line 66: | Line 65: | ||
============= | ============= | ||
<This issue has been | <This issue has been assessed as Critical/High/Moderate/Low risk by the EGI CSIRT and/or EGI SVG | ||
Risk Assessment Team as appropriate> | Risk Assessment Team as appropriate> | ||
<if critical - include critical in title and e-mail title> | <if critical - include critical in title and e-mail title> | ||
Line 89: | Line 88: | ||
Component Installation information | Component Installation information | ||
================================== | ================================== | ||
The official repository for the distribution of grid middleware for EGI sites is | |||
repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD). | |||
Sites using the EGI UMD should see: | |||
<e.g. patch not yet available> | <e.g. patch not yet available> | ||
Line 95: | Line 99: | ||
<e.g. pointer to UMD release > | <e.g. pointer to UMD release > | ||
http://repository.egi.eu/category/umd_releases/distribution/umd_1/ | |||
http://repository.egi.eu/category/umd_releases/distribution/umd-2/ | |||
<e.g. | |||
Sites who wish to install directly from the EMI release should see | |||
..... > | |||
Line 116: | Line 130: | ||
work-around in place by yyyy-mm-dd T21:00+01:00. | work-around in place by yyyy-mm-dd T21:00+01:00. | ||
<7 calendar days - but if the date falls on a Friday | <7 calendar days - but if the date falls on a Friday or common public holiday, | ||
make it the first working day after people are expected back> | make it the first working day after people are expected back> | ||
Line 134: | Line 148: | ||
<any other info on the problem> | <any other info on the problem> | ||
e.g. http://repository.egi.eu/category/umd_releases/distribution/umd_1/ | |||
e.g. http://www.eu-emi.eu/emi-1-kebnekaise | |||
Timeline <probably SVG/EGI UMD issues only> | Timeline <probably SVG/EGI UMD issues only> | ||
Line 139: | Line 156: | ||
Yyyy-mm-dd | Yyyy-mm-dd | ||
2012-??-?? Vulnerability reported by <name1> WE NEED TO ASK HIM/HER BEFORE PUTTING HIS/HER NAME | |||
2012-??-?? Acknowlegement from the EGI SVG to the reporter | |||
2012-??-?? Software providers responded and involved in investigation | |||
2012-??-?? Assessment by the EGI Software Vulnerability Group reported to the software providers | |||
2012-??-?? Updated packages available <in the EGI UMD/other location> | |||
2012-??-?? Public disclosure | |||
Line 150: | Line 167: | ||
On behalf of the <EGI CSIRT / EGI CSIRT and SVG / EGI SVG as appropriate> , | On behalf of the <EGI CSIRT / EGI CSIRT and SVG / EGI SVG as appropriate> , | ||
</pre> | </pre> |
Revision as of 12:43, 15 August 2012
Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
General Advisory Template
E-mail title - as Title <add or delete sections as needed> < Choose proper TLP color > ** WHITE information - Unlimited distribution allowed ** or ** GREEN information - Community wide distribution ** or ** AMBER information - Limited distribution ** or ** RED information - Personal for Named Recipients Only ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** < Fill in advisory number, title, date, and URL(if WHITE)> < Title should be prepended by the RISK rating (e. g., CRITICAL, HIGH, ...)> < If applicable, a CVE number or the like should be included > < The title should be used as mail subject as well> EGI CSIRT ADVISORY [EGI-ADV-yyyymmdd] or EGI SVG ADVISORY [EGI-SVG-yyyy-<Rt no>] Title: EGI SVG Advisory <risk> RISK - <refer to any CVE number and include name software for csirt - [EGI-ADV-YYYYMMDD] for [SVG EGI-SVG-YYYY-RTno > Date: <date yyyy-mm-dd> Updated: <date yyyy-mm-dd> <Put on Wiki for WHITE information only> URL: https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/<xxx>-yyyy-mm-dd or URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-<yyyy>-<number> Introduction ============ <Describe the reason for the issuing of this advisory - paragraph 3-5 sentences > < A vulnerability has been found in <xxx> software which is part of the <yyy> distribution.> <this could include - e.g. updated as patch available> <include cve- number if one has been issued> <include EGI RT number for SVG/UMD issues> Details ======= <describe the problem, something about why it occurs, and the effect on sites> <take care not to release anything useful to an attacker, unless it is already public, especially if you are sending it in WHITE> <this should not be long> Risk Category ============= <This issue has been assessed as Critical/High/Moderate/Low risk by the EGI CSIRT and/or EGI SVG Risk Assessment Team as appropriate> <if critical - include critical in title and e-mail title> Affected Software ================= <e.g. which version(s) of Linux are effected> <e.g. which middleware component is effected within gLite/ARC/Unicore/Globus/Other> Mitigation ========== <Describe mitigation to carry out - this may be to run a script> < If possible, include either a script and/or include command lines> Component Installation information ================================== The official repository for the distribution of grid middleware for EGI sites is repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD). Sites using the EGI UMD should see: <e.g. patch not yet available> <e.g. patch available from vendor for x system but not y> <e.g. pointer to UMD release > http://repository.egi.eu/category/umd_releases/distribution/umd_1/ http://repository.egi.eu/category/umd_releases/distribution/umd-2/ <e.g. Sites who wish to install directly from the EMI release should see ..... > Recommendations =============== <as appropriate e.g.> <Immediately apply the mitigation described above to all user-accessible systems.> <Immediately apply vendor kernel updates when they become available.> <List vendors who have already announced patches> <Apply new version in EGI UMD> <Sites are recommended to update relevant components.> <(For critical) All running resources MUST be either patched or otherwise have a work-around in place by yyyy-mm-dd T21:00+01:00. <7 calendar days - but if the date falls on a Friday or common public holiday, make it the first working day after people are expected back> Credit ====== This vulnerability was reported by <if applicable - person who discovers vulnerability> References ========== <Any references to the vulnerability> <refer to any public disclosure> <e.g. Linux vendors info> <any other info on the problem> e.g. http://repository.egi.eu/category/umd_releases/distribution/umd_1/ e.g. http://www.eu-emi.eu/emi-1-kebnekaise Timeline <probably SVG/EGI UMD issues only> ======== Yyyy-mm-dd 2012-??-?? Vulnerability reported by <name1> WE NEED TO ASK HIM/HER BEFORE PUTTING HIS/HER NAME 2012-??-?? Acknowlegement from the EGI SVG to the reporter 2012-??-?? Software providers responded and involved in investigation 2012-??-?? Assessment by the EGI Software Vulnerability Group reported to the software providers 2012-??-?? Updated packages available <in the EGI UMD/other location> 2012-??-?? Public disclosure On behalf of the <EGI CSIRT / EGI CSIRT and SVG / EGI SVG as appropriate> ,
| RAT Issue Handling Instructions | RAT Issue Handling Templates | RAT Issue Handling Templates contd | SVG-CSIRT Critical Notes | Advisory Template |
| Issue Handling Summary | Reporters | SVG View | Software Providers | EGI MW Unit | Deployment | Notes on Risk |