Difference between revisions of "SVG:General Advisory Template"
Jump to navigation
Jump to search
Line 2: | Line 2: | ||
<pre> | <pre> | ||
E-mail title - as Title | |||
(Revised 7th January 2016) | |||
E-mail title - as Title | |||
<add or delete sections as needed> | <add or delete sections as needed> | ||
< Choose proper TLP color > | < Choose proper TLP color > | ||
** WHITE information - Unlimited distribution allowed ** or | ** WHITE information - Unlimited distribution allowed ** or | ||
** GREEN information - Community wide distribution ** or | ** GREEN information - Community wide distribution ** or | ||
Line 16: | Line 20: | ||
< Fill in advisory number, title, date, and URL(if WHITE)> | < Fill in advisory number, title, date, and URL(if WHITE)> | ||
< Title should | < Title should include the RISK rating (e. g., CRITICAL, HIGH, ...)> | ||
< If applicable, a CVE number or the like should be included > | < If applicable, a CVE number or the like should be included > | ||
< The title should be used as mail subject as well> | < The title should be used as mail subject as well> | ||
EGI | EGI SVG ADVISORY [EGI-SVG-CVE-<year>-<number>] if CVE available | ||
EGI SVG ADVISORY [EGI-SVG- | |||
EGI SVG ADVISORY [EGI-SVG-<date of report>-<SW abbreviation>] | |||
Title: EGI SVG Advisory <risk> RISK - <refer to any CVE number and include name of | |||
software [EGI-SVG-CVE-<year>-<number>] if CVE available or [EGI-SVG-<date of report>-<SW abbreviation>] | |||
Date: <date yyyy-mm-dd> <1st released> | Date: <date yyyy-mm-dd> <1st released> | ||
Updated: <date yyyy-mm-dd> | Updated: <date yyyy-mm-dd> | ||
Line 31: | Line 38: | ||
<For other - This advisory will be placed on the wiki on or after yyyy-mm-dd> | <For other - This advisory will be placed on the wiki on or after yyyy-mm-dd> | ||
URL: https://wiki.egi.eu/wiki/ | |||
URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-< | URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-CVE-<year>-<number> | ||
URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-<date of report>-<SW abbreviation> | |||
Introduction | Introduction | ||
Line 61: | Line 69: | ||
<this should not be long> | <this should not be long> | ||
<In the case of announced vulnerabilities, simply a reference to the SW provider's info may be sufficient.> | |||
Line 66: | Line 75: | ||
============= | ============= | ||
This issue has been assessed as Critical/High/Moderate/Low risk by the EGI SVG Risk | |||
Assessment Team | |||
Line 122: | Line 131: | ||
OR | |||
References to appropriate other software. | |||
OR | |||
List vendors who have already announced patches with references | |||
Line 134: | Line 148: | ||
<Immediately apply vendor kernel updates when they become available.> | <Immediately apply vendor kernel updates when they become available.> | ||
<Apply new version in EGI UMD> | <Apply new version in EGI UMD> | ||
Line 142: | Line 154: | ||
<(For critical) All running resources MUST be either patched or | <(For critical) All running resources MUST be either patched or have mitigation | ||
in place by yyyy-mm-dd T21:00+01:00. | |||
failing to respond to requests from the EGI CSIRT team risk site suspension. | |||
Sites failing to act and/or failing to respond to requests from the EGI CSIRT team risk | |||
site suspension. | |||
<7 calendar days - but if the date falls on a Friday or common public holiday, | <7 calendar days - but if the date falls on a Friday or common public holiday, | ||
Line 154: | Line 169: | ||
This vulnerability was reported by <if applicable - person who discovers vulnerability> | This vulnerability was reported by <if applicable - person who discovers vulnerability> | ||
or | |||
SVG was alerted to this vulnerability by <if applicable - person who alerts SVG to a vulnerability> | |||
Line 164: | Line 183: | ||
<any other info on the problem> | <any other info on the problem> | ||
Comments | |||
======== | |||
Timeline | Comments or questions should be sent to svg-rat at mailman.egi.eu | ||
Timeline | |||
======== | ======== | ||
Yyyy-mm-dd | Yyyy-mm-dd | ||
2016-??-?? Vulnerability reported by <name1> or SVG alerted to this issue by <name1> | |||
2016-??-?? Acknowledgement from the EGI SVG to the reporter | |||
2016-??-?? (if appropriate) Software providers responded and involved in investigation | |||
2016-??-?? Investigation of vulnerability and relevance to EGI carried out by (as appropriate) | |||
2016-??-?? EGI SVG Risk Assessment completed | |||
2016-??-?? (if appropriate)Risk Reported to the Software Providers | |||
2016-??-?? Updated packages available <in the EGI UMD/other location> | |||
2016-??-?? Advisory/Alert sent to sites | |||
2016-??-?? Public disclosure | |||
On behalf of the | On behalf of the EGI SVG, | ||
Revision as of 18:40, 7 January 2016
Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
General Advisory Template
(Revised 7th January 2016) E-mail title - as Title <add or delete sections as needed> < Choose proper TLP color > ** WHITE information - Unlimited distribution allowed ** or ** GREEN information - Community wide distribution ** or ** AMBER information - Limited distribution ** or ** RED information - Personal for Named Recipients Only ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** < Fill in advisory number, title, date, and URL(if WHITE)> < Title should include the RISK rating (e. g., CRITICAL, HIGH, ...)> < If applicable, a CVE number or the like should be included > < The title should be used as mail subject as well> EGI SVG ADVISORY [EGI-SVG-CVE-<year>-<number>] if CVE available EGI SVG ADVISORY [EGI-SVG-<date of report>-<SW abbreviation>] Title: EGI SVG Advisory <risk> RISK - <refer to any CVE number and include name of software [EGI-SVG-CVE-<year>-<number>] if CVE available or [EGI-SVG-<date of report>-<SW abbreviation>] Date: <date yyyy-mm-dd> <1st released> Updated: <date yyyy-mm-dd> <Put on Wiki for WHITE information only> <For other - This advisory will be placed on the wiki on or after yyyy-mm-dd> URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-CVE-<year>-<number> URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-<date of report>-<SW abbreviation> Introduction ============ <Describe the reason for the issuing of this advisory - paragraph 3-5 sentences > < A vulnerability has been found in <xxx> software which is part of the <yyy> distribution.> <this could include - e.g. updated as patch available> <include cve- number if one has been issued> <include EGI RT number for SVG/UMD issues> Details ======= <describe the problem, something about why it occurs, and the effect on sites> <take care not to release anything useful to an attacker, unless it is already public, especially if you are sending it in WHITE> <this should not be long> <In the case of announced vulnerabilities, simply a reference to the SW provider's info may be sufficient.> Risk category ============= This issue has been assessed as Critical/High/Moderate/Low risk by the EGI SVG Risk Assessment Team Affected software ================= <e.g. which version(s) of Linux are effected> <e.g. which middleware component is effected within gLite/ARC/Unicore/Globus/Other> Mitigation ========== <Describe mitigation to carry out - this may be to run a script> < If possible, include either a script and/or include command lines> Component installation information ================================== The official repository for the distribution of grid middleware for EGI sites is repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD). Sites using the EGI UMD 3 should see: http://repository.egi.eu/category/umd_releases/distribution/umd-3/ Sites who wish to install directly from the EMI release should see: http://www.eu-emi.eu/releases/emi-3-monte-bianco/updates/ OR Please note that XXX is no longer maintained in the EMI repository. XXX is now also available in EPEL https://fedoraproject.org/wiki/EPEL <e.g. patch not yet available> <e.g. patch available from vendor for x system but not y> <e.g. pointer to UMD release > OR References to appropriate other software. OR List vendors who have already announced patches with references Recommendations =============== <as appropriate e.g.> <Immediately apply the mitigation described above to all user-accessible systems.> <Immediately apply vendor kernel updates when they become available.> <Apply new version in EGI UMD> <Sites are recommended to update relevant components.> <(For critical) All running resources MUST be either patched or have mitigation in place by yyyy-mm-dd T21:00+01:00. Sites failing to act and/or failing to respond to requests from the EGI CSIRT team risk site suspension. <7 calendar days - but if the date falls on a Friday or common public holiday, make it the first working day after people are expected back> Credit ====== This vulnerability was reported by <if applicable - person who discovers vulnerability> or SVG was alerted to this vulnerability by <if applicable - person who alerts SVG to a vulnerability> References ========== <Any references to the vulnerability> <refer to any public disclosure> <e.g. Linux vendors info> <any other info on the problem> Comments ======== Comments or questions should be sent to svg-rat at mailman.egi.eu Timeline ======== Yyyy-mm-dd 2016-??-?? Vulnerability reported by <name1> or SVG alerted to this issue by <name1> 2016-??-?? Acknowledgement from the EGI SVG to the reporter 2016-??-?? (if appropriate) Software providers responded and involved in investigation 2016-??-?? Investigation of vulnerability and relevance to EGI carried out by (as appropriate) 2016-??-?? EGI SVG Risk Assessment completed 2016-??-?? (if appropriate)Risk Reported to the Software Providers 2016-??-?? Updated packages available <in the EGI UMD/other location> 2016-??-?? Advisory/Alert sent to sites 2016-??-?? Public disclosure On behalf of the EGI SVG,
| RAT Issue Handling Instructions | RAT Issue Handling Templates | RAT Issue Handling Templates contd | SVG-CSIRT Critical Notes | Advisory Template |
| Issue Handling Summary | Reporters | SVG View | Software Providers | EGI MW Unit | Deployment | Notes on Risk |