Difference between revisions of "SVG:General Advisory Template"
Jump to navigation
Jump to search
Line 2: | Line 2: | ||
<pre> | <pre> | ||
(Revised | |||
(Revised 12th January 2016) | |||
< E-mail title - as Title > | < E-mail title - as Title > | ||
Line 13: | Line 14: | ||
< Title should include software affected> | < Title should include software affected> | ||
< If applicable, a CVE number or the like should be included > | < If applicable, a CVE number or the like should be included > | ||
< The title should be used as mail subject | < The title should be used as mail subject, and on the wiki, but not included in mail itself.> | ||
< The date should only be used on the wiki too > | |||
< So then the e-mail starts with the TLP followed by affected software and risk. | |||
Line 20: | Line 23: | ||
Date: <date yyyy-mm-dd> <1st released> | Date: <date yyyy-mm-dd> <1st released> | ||
Updated: <date yyyy-mm-dd> | Updated: <date yyyy-mm-dd> | ||
< Choose proper TLP color > | < Choose proper TLP color > | ||
Line 29: | Line 33: | ||
** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** | ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** | ||
Affected Software and Risk | |||
========================== | |||
<CRITICAL/HIGH/MODERATE/LOW> risk vulnerability concerning <software> | |||
Actions Required | Actions Required/Recommended | ||
============================ | |||
<as appropriate e.g.> | <as appropriate e.g.> | ||
Line 53: | Line 62: | ||
make it the first working day after people are expected back> | make it the first working day after people are expected back> | ||
More information | |||
================ | |||
< | <Describe the reason for the issuing of this advisory> | ||
< A vulnerability has been found in <xxx> software which is part of the <yyy> | |||
distribution.> | |||
<this could include - e.g. updated as patch available> | <this could include - e.g. updated as patch available> | ||
Line 75: | Line 76: | ||
<include cve- number if one has been issued> | <include cve- number if one has been issued> | ||
<describe the problem, something about why it occurs, and the effect on sites> | <describe the problem, something about why it occurs, and the effect on sites> | ||
<In the case of announced vulnerabilities, simply a reference to the SW provider's info | <In the case of announced vulnerabilities, simply a reference to the SW provider's info | ||
may be sufficient.> | |||
Line 156: | Line 146: | ||
URL | |||
=== | |||
<Put on Wiki for WHITE information only> | |||
<(If not public and High or Critical) - This advisory will be placed on the wiki on or | |||
after yyyy-mm-dd (2 weeks later) > | |||
URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-<year>-<RT-number> | |||
Minor updates may be made without re-distribution to the sites | |||
Line 165: | Line 167: | ||
or | or | ||
SVG was alerted to this vulnerability by <if applicable - person who alerts SVG to a vulnerability> | SVG was alerted to this vulnerability by <if applicable - person who alerts SVG to a | ||
vulnerability> | |||
Line 191: | Line 195: | ||
2016-??-?? (if appropriate) Software providers responded and involved in investigation | 2016-??-?? (if appropriate) Software providers responded and involved in investigation | ||
2016-??-?? Investigation of vulnerability and relevance to EGI carried out by (as | 2016-??-?? Investigation of vulnerability and relevance to EGI carried out by (as | ||
appropriate) | appropriate) | ||
2016-??-?? EGI SVG Risk Assessment completed | 2016-??-?? EGI SVG Risk Assessment completed | ||
2016-??-?? (if appropriate)Assessment by the EGI Software Vulnerability Group reported | 2016-??-?? (if appropriate)Assessment by the EGI Software Vulnerability Group reported | ||
to the software providers | to the software providers | ||
2016-??-?? Updated packages available <in the EGI UMD/other location> | 2016-??-?? Updated packages available <in the EGI UMD/other location> | ||
Line 201: | Line 207: | ||
On behalf of the EGI SVG, | |||
Revision as of 12:24, 12 January 2016
Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
General Advisory Template
(Revised 12th January 2016) < E-mail title - as Title > <add or delete sections as needed> < Fill in advisory number, title, date, and URL(if WHITE)> < Title should include the RISK rating (e. g. CRITICAL, HIGH, ...)> < Title should include software affected> < If applicable, a CVE number or the like should be included > < The title should be used as mail subject, and on the wiki, but not included in mail itself.> < The date should only be used on the wiki too > < So then the e-mail starts with the TLP followed by affected software and risk. Title: EGI SVG Advisory <RISK> risk <cve, software, other info > [EGI-SVG-<year>-<RT-number>] Date: <date yyyy-mm-dd> <1st released> Updated: <date yyyy-mm-dd> < Choose proper TLP color > ** WHITE information - Unlimited distribution allowed ** or ** GREEN information - Community wide distribution ** or ** AMBER information - Limited distribution ** or ** RED information - Personal for Named Recipients Only ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** Affected Software and Risk ========================== <CRITICAL/HIGH/MODERATE/LOW> risk vulnerability concerning <software> Actions Required/Recommended ============================ <as appropriate e.g.> <Sites are required to immediately apply the mitigation described below to all user-accessible systems.> <Sites running xxx are required to urgently apply vendor kernel updates.> <Sites running yyy are required to urgently install new version> <Sites are recommended to update relevant components as soon as it is convenient> <(For critical) All running resources MUST be either patched or have mitigation in place by yyyy-mm-dd T21:00+01:00. Sites failing to act and/or failing to respond to requests from the EGI CSIRT team risk site suspension. <7 calendar days - but if the date falls on a Friday or common public holiday, make it the first working day after people are expected back> More information ================ <Describe the reason for the issuing of this advisory> < A vulnerability has been found in <xxx> software which is part of the <yyy> distribution.> <this could include - e.g. updated as patch available> <include cve- number if one has been issued> <describe the problem, something about why it occurs, and the effect on sites> <In the case of announced vulnerabilities, simply a reference to the SW provider's info may be sufficient.> Affected software ================= <e.g. which version(s) of Linux are effected> <e.g. which middleware component is effected within gLite/ARC/Unicore/Globus/Other> Mitigation ========== <Describe mitigation to carry out - this may be to run a script> < If possible, include either a script and/or include command lines> Component installation information ================================== The official repository for the distribution of grid middleware for EGI sites is repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD). Sites using the EGI UMD 3 should see: http://repository.egi.eu/category/umd_releases/distribution/umd-3/ Sites who wish to install directly from the EMI release should see: http://www.eu-emi.eu/releases/emi-3-monte-bianco/updates/ OR Please note that XXX is no longer maintained in the EMI repository. XXX is now also available in EPEL https://fedoraproject.org/wiki/EPEL <e.g. patch not yet available> <e.g. patch available from vendor for x system but not y> <e.g. pointer to UMD release > OR <References to appropriate other software.> OR <List vendors who have already announced patches with references> URL === <Put on Wiki for WHITE information only> <(If not public and High or Critical) - This advisory will be placed on the wiki on or after yyyy-mm-dd (2 weeks later) > URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-<year>-<RT-number> Minor updates may be made without re-distribution to the sites Credit ====== This vulnerability was reported by <if applicable - person who discovers vulnerability> or SVG was alerted to this vulnerability by <if applicable - person who alerts SVG to a vulnerability> References ========== <Any references to the vulnerability> <refer to any public disclosure> <e.g. Linux vendors info> <any other info on the problem> Comments ======== Comments or questions should be sent to svg-rat at mailman.egi.eu Timeline ======== Yyyy-mm-dd [EGI-SVG-<year>-<RT-number>] 2016-??-?? Vulnerability reported by <name1> or SVG alerted to this issue by <name1> 2016-??-?? Acknowledgement from the EGI SVG to the reporter 2016-??-?? (if appropriate) Software providers responded and involved in investigation 2016-??-?? Investigation of vulnerability and relevance to EGI carried out by (as appropriate) 2016-??-?? EGI SVG Risk Assessment completed 2016-??-?? (if appropriate)Assessment by the EGI Software Vulnerability Group reported to the software providers 2016-??-?? Updated packages available <in the EGI UMD/other location> 2016-??-?? Advisory/Alert sent to sites 2016-??-?? Public disclosure On behalf of the EGI SVG,
| RAT Issue Handling Instructions | RAT Issue Handling Templates | RAT Issue Handling Templates contd | SVG-CSIRT Critical Notes | Advisory Template |
| Issue Handling Summary | Reporters | SVG View | Software Providers | EGI MW Unit | Deployment | Notes on Risk |