The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.
Difference between revisions of "SVG:General Advisory Template"
Jump to navigation
Jump to search
| Line 24: | Line 24: | ||
EGI SVG ADVISORY [EGI-SVG-yyyy-<Rt no>] | EGI SVG ADVISORY [EGI-SVG-yyyy-<Rt no>] | ||
Title: EGI SVG Advisory <risk> RISK - <refer to any CVE number and include name software for csirt - | Title: EGI SVG Advisory <risk> RISK - <refer to any CVE number and include | ||
[EGI-ADV-YYYYMMDD] for [SVG EGI-SVG-YYYY-RTno > | |||
name software for csirt - [EGI-ADV-YYYYMMDD] for [SVG EGI-SVG-YYYY-RTno > | |||
Date: <date yyyy-mm-dd> | Date: <date yyyy-mm-dd> | ||
Updated: <date yyyy-mm-dd> | Updated: <date yyyy-mm-dd> | ||
| Line 39: | Line 40: | ||
<Describe the reason for the issuing of this advisory - paragraph 3-5 sentences > | <Describe the reason for the issuing of this advisory - paragraph 3-5 sentences > | ||
< A vulnerability has been found in <xxx> software which is part of the <yyy> distribution.> | < A vulnerability has been found in <xxx> software which is part of the <yyy> | ||
distribution.> | |||
<this could include - e.g. updated as patch available> | <this could include - e.g. updated as patch available> | ||
| Line 56: | Line 59: | ||
<take care not to release anything useful to an attacker, unless it is already public, | <take care not to release anything useful to an attacker, unless it is already | ||
public, | |||
especially if you are sending it in WHITE> | especially if you are sending it in WHITE> | ||
| Line 66: | Line 71: | ||
============= | ============= | ||
<This issue has been assessed as Critical/High/Moderate/Low risk by the EGI CSIRT and/or EGI SVG | <This issue has been assessed as Critical/High/Moderate/Low risk by the EGI CSIRT | ||
and/or EGI SVG | |||
Risk Assessment Team as appropriate> | Risk Assessment Team as appropriate> | ||
<if critical - include critical in title and e-mail title> | <if critical - include critical in title and e-mail title> | ||
Affected | Affected software | ||
================= | ================= | ||
<e.g. which version(s) of Linux are effected> | <e.g. which version(s) of Linux are effected> | ||
<e.g. which middleware component is effected within gLite/ARC/Unicore/Globus/Other> | <e.g. which middleware component is effected within | ||
gLite/ARC/Unicore/Globus/Other> | |||
| Line 92: | Line 101: | ||
The official repository for the distribution of grid middleware for EGI sites is | The official repository for the distribution of grid middleware for EGI sites is | ||
repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD). | repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD). | ||
Sites using the EGI UMD 2 should see: | |||
http://repository.egi.eu/category/umd_releases/distribution/umd-2/ | |||
Sites who wish to install directly from the EMI 2 release should see: | |||
http://www.eu-emi.eu/emi-2-matterhorn/updates/ | |||
Sites using the EGI UMD 3 should see: | |||
http://repository.egi.eu/category/umd_releases/distribution/umd-3/ | |||
Sites who wish to install directly from the EMI release should see: | |||
http://www.eu-emi.eu/releases/emi-3-monte-bianco/updates/ | |||
<e.g. patch not yet available> | <e.g. patch not yet available> | ||
| Line 101: | Line 128: | ||
<e.g. pointer to UMD release > | <e.g. pointer to UMD release > | ||
| Line 130: | Line 151: | ||
<(For critical) All running resources MUST be either patched or otherwise have a | <(For critical) All running resources MUST be either patched or otherwise have a | ||
work-around in place by yyyy-mm-dd T21:00+01:00. Sites failing to act and/or | work-around in place by yyyy-mm-dd T21:00+01:00. Sites failing to act and/or | ||
failing to respond to requests from the EGI CSIRT team risk site suspension. | failing to respond to requests from the EGI CSIRT team risk site suspension. | ||
<7 calendar days - but if the date falls on a Friday or common public holiday, | <7 calendar days - but if the date falls on a Friday or common public holiday, | ||
| Line 140: | Line 160: | ||
====== | ====== | ||
This vulnerability was reported by <if applicable - person who discovers vulnerability> | This vulnerability was reported by <if applicable - person who discovers | ||
vulnerability> | |||
| Line 156: | Line 178: | ||
Yyyy-mm-dd | Yyyy-mm-dd | ||
2013-??-?? Vulnerability reported by <name1> WE NEED TO ASK HIM/HER BEFORE PUTTING HIS/HER NAME | 2013-??-?? Vulnerability reported by <name1> WE NEED TO ASK HIM/HER BEFORE PUTTING | ||
HIS/HER NAME | |||
2013-??-?? Acknowledgement from the EGI SVG to the reporter | 2013-??-?? Acknowledgement from the EGI SVG to the reporter | ||
2013-??-?? Software providers responded and involved in investigation | 2013-??-?? Software providers responded and involved in investigation | ||
2013-??-?? Assessment by the EGI Software Vulnerability Group reported to the software providers | 2013-??-?? Assessment by the EGI Software Vulnerability Group reported to the | ||
software providers | |||
2013-??-?? Updated packages available <in the EGI UMD/other location> | 2013-??-?? Updated packages available <in the EGI UMD/other location> | ||
2013-??-?? Public disclosure | 2013-??-?? Public disclosure | ||
| Line 167: | Line 193: | ||
On behalf of the <EGI CSIRT / EGI CSIRT and SVG / EGI SVG as appropriate> , | On behalf of the <EGI CSIRT / EGI CSIRT and SVG / EGI SVG as appropriate> , | ||
</pre> | </pre> | ||
Revision as of 11:41, 15 May 2013
| Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
General Advisory Template
E-mail title - as Title <add or delete sections as needed> < Choose proper TLP color > ** WHITE information - Unlimited distribution allowed ** or ** GREEN information - Community wide distribution ** or ** AMBER information - Limited distribution ** or ** RED information - Personal for Named Recipients Only ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** < Fill in advisory number, title, date, and URL(if WHITE)> < Title should be prepended by the RISK rating (e. g., CRITICAL, HIGH, ...)> < If applicable, a CVE number or the like should be included > < The title should be used as mail subject as well> EGI CSIRT ADVISORY [EGI-ADV-yyyymmdd] or EGI SVG ADVISORY [EGI-SVG-yyyy-<Rt no>] Title: EGI SVG Advisory <risk> RISK - <refer to any CVE number and include name software for csirt - [EGI-ADV-YYYYMMDD] for [SVG EGI-SVG-YYYY-RTno > Date: <date yyyy-mm-dd> Updated: <date yyyy-mm-dd> <Put on Wiki for WHITE information only> URL: https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/<xxx>-yyyy-mm-dd or URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-<yyyy>-<number> Introduction ============ <Describe the reason for the issuing of this advisory - paragraph 3-5 sentences > < A vulnerability has been found in <xxx> software which is part of the <yyy> distribution.> <this could include - e.g. updated as patch available> <include cve- number if one has been issued> <include EGI RT number for SVG/UMD issues> Details ======= <describe the problem, something about why it occurs, and the effect on sites> <take care not to release anything useful to an attacker, unless it is already public, especially if you are sending it in WHITE> <this should not be long> Risk category ============= <This issue has been assessed as Critical/High/Moderate/Low risk by the EGI CSIRT and/or EGI SVG Risk Assessment Team as appropriate> <if critical - include critical in title and e-mail title> Affected software ================= <e.g. which version(s) of Linux are effected> <e.g. which middleware component is effected within gLite/ARC/Unicore/Globus/Other> Mitigation ========== <Describe mitigation to carry out - this may be to run a script> < If possible, include either a script and/or include command lines> Component installation information ================================== The official repository for the distribution of grid middleware for EGI sites is repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD). Sites using the EGI UMD 2 should see: http://repository.egi.eu/category/umd_releases/distribution/umd-2/ Sites who wish to install directly from the EMI 2 release should see: http://www.eu-emi.eu/emi-2-matterhorn/updates/ Sites using the EGI UMD 3 should see: http://repository.egi.eu/category/umd_releases/distribution/umd-3/ Sites who wish to install directly from the EMI release should see: http://www.eu-emi.eu/releases/emi-3-monte-bianco/updates/ <e.g. patch not yet available> <e.g. patch available from vendor for x system but not y> <e.g. pointer to UMD release > Recommendations =============== <as appropriate e.g.> <Immediately apply the mitigation described above to all user-accessible systems.> <Immediately apply vendor kernel updates when they become available.> <List vendors who have already announced patches> <Apply new version in EGI UMD> <Sites are recommended to update relevant components.> <(For critical) All running resources MUST be either patched or otherwise have a work-around in place by yyyy-mm-dd T21:00+01:00. Sites failing to act and/or failing to respond to requests from the EGI CSIRT team risk site suspension. <7 calendar days - but if the date falls on a Friday or common public holiday, make it the first working day after people are expected back> Credit ====== This vulnerability was reported by <if applicable - person who discovers vulnerability> References ========== <Any references to the vulnerability> <refer to any public disclosure> <e.g. Linux vendors info> <any other info on the problem> Timeline <probably SVG/EGI UMD issues only> ======== Yyyy-mm-dd 2013-??-?? Vulnerability reported by <name1> WE NEED TO ASK HIM/HER BEFORE PUTTING HIS/HER NAME 2013-??-?? Acknowledgement from the EGI SVG to the reporter 2013-??-?? Software providers responded and involved in investigation 2013-??-?? Assessment by the EGI Software Vulnerability Group reported to the software providers 2013-??-?? Updated packages available <in the EGI UMD/other location> 2013-??-?? Public disclosure On behalf of the <EGI CSIRT / EGI CSIRT and SVG / EGI SVG as appropriate> ,
| RAT Issue Handling Instructions | RAT Issue Handling Templates | RAT Issue Handling Templates contd | SVG-CSIRT Critical Notes | Advisory Template |
| Issue Handling Summary | Reporters | SVG View | Software Providers | EGI MW Unit | Deployment | Notes on Risk |