* [PATCH v2 0/1] security-process: update with mailing list details
@ 2020-12-03 14:29 P J P
2020-12-03 14:29 ` [PATCH v2 1/1] security-process: update process information P J P
0 siblings, 1 reply; 11+ messages in thread
From: P J P @ 2020-12-03 14:29 UTC (permalink / raw)
To: Stefan Hajnoczi
Cc: peter.maydell, Stefano Stabellini, Petr Matousek,
Prasad J Pandit, Michael S . Tsirkin, Michael Roth,
Konrad Rzeszutek Wilk, QEMU Developers, Darren Kenny,
Daniel P . Berrangé
From: Prasad J Pandit <pjp@fedoraproject.org>
Hello,
* After upstream discussions and considering various options like
LaunchPad bugs, GitLab issues etc.
-> https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg04266.html
-> https://lists.nongnu.org/archive/html/qemu-devel/2020-10/msg00059.html
We are about to introduce a 'qemu-security' mailing list to receive and
triage upstream QEMU security issues.
* Intention is to allow more community participation in handling and
triaging of the QEMU security issues.
* This change relieves current set of individual contacts from the
responsibility of handling upstream QEMU issues. Of course they are
welcome to the new 'qemu-security' mailing list.
* To simplify the encrypted communication process, we keep only a single
contact of <secalert@redhat.com> from our previous list of contacts.
This way reporters need not look for and manage GPG keys of multiple
contacts.
v1:
* This patch v1 updates the QEMU security-process web page with detailed
process.
-> https://lists.nongnu.org/archive/html/qemu-devel/2020-11/msg06234.html
v2:
* Incorporate further inputs and suggestions from upstream reviews.
-> https://lists.nongnu.org/archive/html/qemu-devel/2020-12/msg00568.html
-> https://lists.nongnu.org/archive/html/qemu-devel/2020-12/msg00584.html
I'd appreciate if you have any inputs and/or suggestions for this change.
Thank you.
--
Prasad J Pandit (1):
security-process: update process information
contribute/security-process.md | 154 ++++++++++++++++++++-------------
1 file changed, 95 insertions(+), 59 deletions(-)
--
2.28.0
^ permalink raw reply [flat|nested] 11+ messages in thread
* [PATCH v2 1/1] security-process: update process information
2020-12-03 14:29 [PATCH v2 0/1] security-process: update with mailing list details P J P
@ 2020-12-03 14:29 ` P J P
2020-12-03 14:38 ` Daniel P. Berrangé
` (6 more replies)
0 siblings, 7 replies; 11+ messages in thread
From: P J P @ 2020-12-03 14:29 UTC (permalink / raw)
To: Stefan Hajnoczi
Cc: peter.maydell, Stefano Stabellini, Petr Matousek,
Prasad J Pandit, Michael S . Tsirkin, Michael Roth,
Konrad Rzeszutek Wilk, QEMU Developers, Darren Kenny,
Daniel P . Berrangé
From: Prasad J Pandit <pjp@fedoraproject.org>
We are about to introduce a qemu-security mailing list to report
and triage QEMU security issues.
Update the security process web page with new mailing list address
and triage details.
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
---
contribute/security-process.md | 154 ++++++++++++++++++++-------------
1 file changed, 95 insertions(+), 59 deletions(-)
Update v2: incorporate inputs from upstream reviews
-> https://lists.nongnu.org/archive/html/qemu-devel/2020-12/msg00568.html
-> https://lists.nongnu.org/archive/html/qemu-devel/2020-12/msg00584.html
diff --git a/contribute/security-process.md b/contribute/security-process.md
index 1239967..13b6b97 100644
--- a/contribute/security-process.md
+++ b/contribute/security-process.md
@@ -3,72 +3,110 @@ title: Security Process
permalink: /contribute/security-process/
---
-QEMU takes security very seriously, and we aim to take immediate action to
-address serious security-related problems that involve our product.
-
-Please report any suspected security vulnerability in QEMU to the following
-addresses. You can use GPG keys for respective receipients to communicate with
-us securely. If you do, please upload your GPG public key or supply it to us
-in some other way, so that we can communicate to you in a secure way, too!
-Please include the tag **\[QEMU-SECURITY\]** on the subject line to help us
-identify your message as security-related.
-
-## QEMU Security Contact List
-
-Please copy everyone on this list:
-
- Contact Person(s) | Contact Address | Company | GPG Key | GPG key fingerprint
-:-----------------------|:------------------------------|:--------------|:---------:|:--------------------
- Michael S. Tsirkin | mst@redhat.com | Red Hat Inc. | [🔑](https://pgp.mit.edu/pks/lookup?op=vindex&search=0xC3503912AFBE8E67) | 0270 606B 6F3C DF3D 0B17 0970 C350 3912 AFBE 8E67
- Petr Matousek | pmatouse@redhat.com | Red Hat Inc. | [🔑](https://pgp.mit.edu/pks/lookup?op=vindex&search=0x3E786F42C44977CA) | 8107 AF16 A416 F9AF 18F3 D874 3E78 6F42 C449 77CA
- Stefano Stabellini | sstabellini@kernel.org | Independent | [🔑](https://pgp.mit.edu/pks/lookup?op=vindex&search=0x894F8F4870E1AE90) | D04E 33AB A51F 67BA 07D3 0AEA 894F 8F48 70E1 AE90
- Security Response Team | secalert@redhat.com | Red Hat Inc. | [🔑](https://access.redhat.com/site/security/team/contact/#contact) |
- Michael Roth | michael.roth@amd.com | AMD | [🔑](https://pgp.mit.edu/pks/lookup?op=vindex&search=0x3353C9CEF108B584) | CEAC C9E1 5534 EBAB B82D 3FA0 3353 C9CE F108 B584
- Prasad J Pandit | pjp@redhat.com | Red Hat Inc. | [🔑](http://pool.sks-keyservers.net/pks/lookup?op=vindex&search=0xE2858B5AF050DE8D) | 8685 545E B54C 486B C6EB 271E E285 8B5A F050 DE8D
-
-## How to Contact Us Securely
-
-We use GNU Privacy Guard (GnuPG or GPG) keys to secure communications. Mail
-sent to members of the list can be encrypted with public keys of all members
-of the list. We expect to change some of the keys we use from time to time.
-Should a key change, the previous one will be revoked.
-
-## How we respond
-
-Maintainers listed on the security reporting list operate a policy of
-responsible disclosure. As such they agree that any information you share with
-them about security issues that are not public knowledge is kept confidential
-within respective affiliated companies. It is not passed on to any third-party,
-including Xen Security Project, without your permission.
-
-Email sent to us is read and acknowledged with a non-automated response. For
-issues that are complicated and require significant attention, we will open an
-investigation and keep you informed of our progress. We might take one or more
-of the following steps:
+Please report any suspected security issue in QEMU to the security mailing
+list at:
+
+* [\<qemu-security@nongnu.org\>](https://lists.nongnu.org/mailman/listinfo/qemu-security)
+
+To report an issue via [GPG](https://gnupg.org/) encrypted email, please send
+it to the Red Hat Product Security team at:
+
+* [\<secalert@redhat.com\>](https://access.redhat.com/security/team/contact/#contact)
+
+**Note:** after the triage, encrypted issue details shall be sent to the upstream
+'qemu-security' mailing list for archival purposes.
+
+## How to report an issue:
+
+* Please include as many details as possible in the issue report.
+ Ex:
+ - QEMU version, upstream commit/tag
+ - Host & Guest architecture x86/Arm/PPC, 32/64 bit etc.
+ - Affected code area/snippets
+ - Stack traces, crash details
+ - Malicious inputs/reproducer steps etc.
+ - Any configurations/settings required to trigger the issue.
+
+* Please share the QEMU command line used to invoke a guest VM.
+
+* Please specify whom to acknowledge for reporting this issue.
+
+## How we respond:
+
+* Process of handling security issues comprises following steps:
+
+ 0) **Acknowledge:**
+ - A non-automated response email is sent to the reporter(s) to acknowledge
+ the reception of the report. (*60 day's counter starts here*)
+
+ 1) **Triage:**
+ - Examine the issue details and confirm whether the issue is genuine
+ - Validate if it can be misused for malicious purposes
+ - Determine its worst case impact and severity
+ [Low/Moderate/Important/Critical]
+
+ 2) **Response:**
+ - Negotiate embargo timeline (if required, depending on severity)
+ - Request a [CVE](https://cveform.mitre.org/) and open an upstream
+ [bug](https://www.qemu.org/contribute/report-a-bug/)
+ - Create an upstream fix patch annotated with
+ - CVE-ID
+ - Link to an upstream bugzilla
+ - Reported-by, Tested-by etc. tags
+ - Once the patch is merged, close the upstream bug with a link to the
+ commit
+ - Fixed in: <commit hash/link>
+
+* Above security lists are operated by select analysts, maintainers and/or
+ representatives from downstream communities.
+
+* List members follow a **responsible disclosure** policy. Any non-public
+ information you share about security issues, is kept confidential within
+ members of the QEMU security team and a minimal supporting staff in their
+ affiliated companies. Such information will not be disclosed to third party
+ organisations/individuals without prior permission from the reporter(s).
+
+* We aim to process security issues within maximum of **60 days**. That is not
+ to say that issues will remain private for 60 days, nope. After the triaging
+ step above
+ - If severity of the issue is sufficiently low, an upstream public bug
+ will be created immediately.
+ - If severity of the issue requires co-ordinated disclosure at a future
+ date, then the embargo process below is followed, and upstream bug will
+ be opened at the end of the embargo period.
+
+ This will allow upstream contributors to create, test and track fix patch(es).
### Publication embargo
-If a security issue is reported that is not already publicly disclosed, an
-embargo date may be assigned and communicated to the reporter. Embargo
-periods will be negotiated by mutual agreement between members of the security
-team and other relevant parties to the problem. Members of the security contact
-list agree not to publicly disclose any details of the security issue until
-the embargo date expires.
+* If a security issue is reported that is not already public and its severity
+ requires coordinated disclosure, then an embargo date will be set and
+ communicated to the reporter(s).
+
+* Embargo periods will be negotiated by mutual agreement between reporter(s),
+ members of the security list and other relevant parties to the problem.
+ The preferred embargo period is upto [2
+ weeks](https://oss-security.openwall.org/wiki/mailing-lists/distros).
+ However, longer embargoes may be negotiated if the severity of the issue
+ requires it.
+
+* Members of the security list agree not to publicly disclose any details of
+ an embargoed security issue until its embargo date expires.
### CVE allocation
-An security issue is assigned with a CVE number. The CVE numbers will usually
-be allocated by one of the vendor security engineers on the security contact
-list.
+Each security issue is assigned a [CVE](https://cveform.mitre.org/) number.
+The CVE number is allocated by one of the vendor security engineers on the
+security list.
-## When to contact the QEMU Security Contact List
+## When to contact the QEMU Security List
-You should contact the Security Contact List if:
+You should contact the Security List if:
* You think there may be a security vulnerability in QEMU.
* You are unsure about how a known vulnerability affects QEMU.
* You can contact us in English. We are unable to respond in other languages.
-## When *not* to contact the QEMU Security Contact List
+## When *not* to contact the QEMU Security List
* You need assistance in a language other than English.
* You require technical assistance (for example, "how do I configure QEMU?").
* You need help upgrading QEMU due to security alerts.
@@ -76,6 +114,9 @@ You should contact the Security Contact List if:
## How impact and severity of a bug is decided
+**Security criterion:**
+ -> [https://www.qemu.org/docs/master/system/security.html](https://www.qemu.org/docs/master/system/security.html)
+
All security issues in QEMU are not equal. Based on the parts of the QEMU
sources wherein the bug is found, its impact and severity could vary.
@@ -122,8 +163,3 @@ used to write programs for the SoC device. In such developer environments, it
is generally assumed that the guest is trusted.
And thus, this buffer overflow turned out to be a security non-issue.
-
-## What to Send to the QEMU Security Contact List
-
-Please provide as much information about your system and the issue as possible
-when contacting the list.
--
2.28.0
^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [PATCH v2 1/1] security-process: update process information
2020-12-03 14:29 ` [PATCH v2 1/1] security-process: update process information P J P
@ 2020-12-03 14:38 ` Daniel P. Berrangé
2020-12-03 15:43 ` Darren Kenny
` (5 subsequent siblings)
6 siblings, 0 replies; 11+ messages in thread
From: Daniel P. Berrangé @ 2020-12-03 14:38 UTC (permalink / raw)
To: P J P
Cc: peter.maydell, Stefano Stabellini, Petr Matousek,
Prasad J Pandit, Michael S . Tsirkin, Stefan Hajnoczi,
Konrad Rzeszutek Wilk, QEMU Developers, Darren Kenny,
Michael Roth
On Thu, Dec 03, 2020 at 07:59:02PM +0530, P J P wrote:
> From: Prasad J Pandit <pjp@fedoraproject.org>
>
> We are about to introduce a qemu-security mailing list to report
> and triage QEMU security issues.
>
> Update the security process web page with new mailing list address
> and triage details.
>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> ---
> contribute/security-process.md | 154 ++++++++++++++++++++-------------
> 1 file changed, 95 insertions(+), 59 deletions(-)
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH v2 1/1] security-process: update process information
2020-12-03 14:29 ` [PATCH v2 1/1] security-process: update process information P J P
2020-12-03 14:38 ` Daniel P. Berrangé
@ 2020-12-03 15:43 ` Darren Kenny
2020-12-10 14:17 ` Petr Matousek
` (4 subsequent siblings)
6 siblings, 0 replies; 11+ messages in thread
From: Darren Kenny @ 2020-12-03 15:43 UTC (permalink / raw)
To: P J P, Stefan Hajnoczi
Cc: peter.maydell, Stefano Stabellini, Petr Matousek,
Prasad J Pandit, Michael S . Tsirkin, Michael Roth,
Konrad Rzeszutek Wilk, QEMU Developers, Daniel P . Berrangé
On Thursday, 2020-12-03 at 19:59:02 +0530, P J P wrote:
> From: Prasad J Pandit <pjp@fedoraproject.org>
>
> We are about to introduce a qemu-security mailing list to report
> and triage QEMU security issues.
>
> Update the security process web page with new mailing list address
> and triage details.
>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Thanks,
Darren
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH v2 1/1] security-process: update process information
2020-12-03 14:29 ` [PATCH v2 1/1] security-process: update process information P J P
2020-12-03 14:38 ` Daniel P. Berrangé
2020-12-03 15:43 ` Darren Kenny
@ 2020-12-10 14:17 ` Petr Matousek
2020-12-10 17:36 ` Michael Roth
` (3 subsequent siblings)
6 siblings, 0 replies; 11+ messages in thread
From: Petr Matousek @ 2020-12-10 14:17 UTC (permalink / raw)
To: P J P
Cc: peter.maydell, Stefano Stabellini, Daniel P . Berrangé,
Prasad J Pandit, Michael S . Tsirkin, Stefan Hajnoczi,
Konrad Rzeszutek Wilk, QEMU Developers, Darren Kenny,
Michael Roth
On Thu, Dec 03, 2020 at 07:59:02PM +0530, P J P wrote:
> From: Prasad J Pandit <pjp@fedoraproject.org>
>
> We are about to introduce a qemu-security mailing list to report
> and triage QEMU security issues.
>
> Update the security process web page with new mailing list address
> and triage details.
>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> ---
> contribute/security-process.md | 154 ++++++++++++++++++++-------------
> 1 file changed, 95 insertions(+), 59 deletions(-)
Reviewed-by: Petr Matousek <pmatouse@redhat.com>
Thanks!
--
Petr Matousek / Red Hat Product Security
PGP: 0xC44977CA 8107 AF16 A416 F9AF 18F3 D874 3E78 6F42 C449 77CA
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH v2 1/1] security-process: update process information
2020-12-03 14:29 ` [PATCH v2 1/1] security-process: update process information P J P
` (2 preceding siblings ...)
2020-12-10 14:17 ` Petr Matousek
@ 2020-12-10 17:36 ` Michael Roth
2020-12-10 21:14 ` Stefano Stabellini
` (2 subsequent siblings)
6 siblings, 0 replies; 11+ messages in thread
From: Michael Roth @ 2020-12-10 17:36 UTC (permalink / raw)
To: P J P, Stefan Hajnoczi
Cc: peter.maydell, Stefano Stabellini, Petr Matousek,
Prasad J Pandit, Konrad Rzeszutek Wilk, Michael S . Tsirkin,
QEMU Developers, Darren Kenny, Daniel P . Berrangé
Quoting P J P (2020-12-03 08:29:02)
> From: Prasad J Pandit <pjp@fedoraproject.org>
>
> We are about to introduce a qemu-security mailing list to report
> and triage QEMU security issues.
>
> Update the security process web page with new mailing list address
> and triage details.
>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> ---
> contribute/security-process.md | 154 ++++++++++++++++++++-------------
> 1 file changed, 95 insertions(+), 59 deletions(-)
>
> Update v2: incorporate inputs from upstream reviews
> -> https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.nongnu.org%2Farchive%2Fhtml%2Fqemu-devel%2F2020-12%2Fmsg00568.html&data=04%7C01%7Cmichael.roth%40amd.com%7C513aba522bf0449271f908d897981c81%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637426026879460819%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=mmvwGiZ9dbuPML6gxiHW0HPbACQ5KkFoTnX%2F0zoZ0Dg%3D&reserved=0
> -> https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.nongnu.org%2Farchive%2Fhtml%2Fqemu-devel%2F2020-12%2Fmsg00584.html&data=04%7C01%7Cmichael.roth%40amd.com%7C513aba522bf0449271f908d897981c81%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637426026879460819%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=YCDVNuoF1TsPgvHmBMnCKFVMq6jSdDLSpYRa%2BDNr9z8%3D&reserved=0
>
> diff --git a/contribute/security-process.md b/contribute/security-process.md
> index 1239967..13b6b97 100644
> --- a/contribute/security-process.md
> +++ b/contribute/security-process.md
> @@ -3,72 +3,110 @@ title: Security Process
> permalink: /contribute/security-process/
> ---
>
> -QEMU takes security very seriously, and we aim to take immediate action to
> -address serious security-related problems that involve our product.
> -
> -Please report any suspected security vulnerability in QEMU to the following
> -addresses. You can use GPG keys for respective receipients to communicate with
> -us securely. If you do, please upload your GPG public key or supply it to us
> -in some other way, so that we can communicate to you in a secure way, too!
> -Please include the tag **\[QEMU-SECURITY\]** on the subject line to help us
> -identify your message as security-related.
> -
> -## QEMU Security Contact List
> -
> -Please copy everyone on this list:
> -
> - Contact Person(s) | Contact Address | Company | GPG Key | GPG key fingerprint
> -:-----------------------|:------------------------------|:--------------|:---------:|:--------------------
> - Michael S. Tsirkin | mst@redhat.com | Red Hat Inc. | [🔑](https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpgp.mit.edu%2Fpks%2Flookup%3Fop%3Dvindex%26search%3D0xC3503912AFBE8E67&data=04%7C01%7Cmichael.roth%40amd.com%7C513aba522bf0449271f908d897981c81%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637426026879460819%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=ach%2FMe1VOaT98jtMyPJC4I0uAo4uROCecrjiS8MmpkU%3D&reserved=0) | 0270 606B 6F3C DF3D 0B17 0970 C350 3912 AFBE 8E67
> - Petr Matousek | pmatouse@redhat.com | Red Hat Inc. | [🔑](https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpgp.mit.edu%2Fpks%2Flookup%3Fop%3Dvindex%26search%3D0x3E786F42C44977CA&data=04%7C01%7Cmichael.roth%40amd.com%7C513aba522bf0449271f908d897981c81%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637426026879460819%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=9ZvtaQbfvaZl7JPIXIRPXuV4SNc%2FYrsa6nYmP7gqAFM%3D&reserved=0) | 8107 AF16 A416 F9AF 18F3 D874 3E78 6F42 C449 77CA
> - Stefano Stabellini | sstabellini@kernel.org | Independent | [🔑](https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpgp.mit.edu%2Fpks%2Flookup%3Fop%3Dvindex%26search%3D0x894F8F4870E1AE90&data=04%7C01%7Cmichael.roth%40amd.com%7C513aba522bf0449271f908d897981c81%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637426026879460819%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Crn3Vjvg4yhGV08muovU2xoxDhU62UQHGoXRyEAlowY%3D&reserved=0) | D04E 33AB A51F 67BA 07D3 0AEA 894F 8F48 70E1 AE90
> - Security Response Team | secalert@redhat.com | Red Hat Inc. | [🔑](https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Faccess.redhat.com%2Fsite%2Fsecurity%2Fteam%2Fcontact%2F%23contact&data=04%7C01%7Cmichael.roth%40amd.com%7C513aba522bf0449271f908d897981c81%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637426026879470809%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=%2F9S%2B48R1svm2onjH%2B0s94eIOsDjn12oOEmhX2a4TLMQ%3D&reserved=0) |
> - Michael Roth | michael.roth@amd.com | AMD | [🔑](https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpgp.mit.edu%2Fpks%2Flookup%3Fop%3Dvindex%26search%3D0x3353C9CEF108B584&data=04%7C01%7Cmichael.roth%40amd.com%7C513aba522bf0449271f908d897981c81%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637426026879470809%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=heJAgFDdBUdhmSDAZUV6WaR6MaQXzcXfCCWNC2LN5Wg%3D&reserved=0) | CEAC C9E1 5534 EBAB B82D 3FA0 3353 C9CE F108 B584
> - Prasad J Pandit | pjp@redhat.com | Red Hat Inc. | [🔑](https://nam11.safelinks.protection.outlook.com/?url=http%3A%2F%2Fpool.sks-keyservers.net%2Fpks%2Flookup%3Fop%3Dvindex%26search%3D0xE2858B5AF050DE8D&data=04%7C01%7Cmichael.roth%40amd.com%7C513aba522bf0449271f908d897981c81%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637426026879470809%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Y0loOnpwtCDOJYeL%2B7VkLHFTuRh9dVeHRTp5xPN5EwU%3D&reserved=0) | 8685 545E B54C 486B C6EB 271E E285 8B5A F050 DE8D
> -
> -## How to Contact Us Securely
> -
> -We use GNU Privacy Guard (GnuPG or GPG) keys to secure communications. Mail
> -sent to members of the list can be encrypted with public keys of all members
> -of the list. We expect to change some of the keys we use from time to time.
> -Should a key change, the previous one will be revoked.
> -
> -## How we respond
> -
> -Maintainers listed on the security reporting list operate a policy of
> -responsible disclosure. As such they agree that any information you share with
> -them about security issues that are not public knowledge is kept confidential
> -within respective affiliated companies. It is not passed on to any third-party,
> -including Xen Security Project, without your permission.
> -
> -Email sent to us is read and acknowledged with a non-automated response. For
> -issues that are complicated and require significant attention, we will open an
> -investigation and keep you informed of our progress. We might take one or more
> -of the following steps:
> +Please report any suspected security issue in QEMU to the security mailing
> +list at:
> +
> +* [\<qemu-security@nongnu.org\>](https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.nongnu.org%2Fmailman%2Flistinfo%2Fqemu-security&data=04%7C01%7Cmichael.roth%40amd.com%7C513aba522bf0449271f908d897981c81%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637426026879470809%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Dgnc%2FyzLIGzHUA6qfMewzRxMTypxM4mUWFKQptKogx4%3D&reserved=0)
> +
> +To report an issue via [GPG](https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgnupg.org%2F&data=04%7C01%7Cmichael.roth%40amd.com%7C513aba522bf0449271f908d897981c81%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637426026879470809%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=y%2BNR12H9ETsYX0dky9JfrAGdyKx1Sp%2FCPvAO8g%2BRYH0%3D&reserved=0) encrypted email, please send
> +it to the Red Hat Product Security team at:
> +
> +* [\<secalert@redhat.com\>](https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Faccess.redhat.com%2Fsecurity%2Fteam%2Fcontact%2F%23contact&data=04%7C01%7Cmichael.roth%40amd.com%7C513aba522bf0449271f908d897981c81%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637426026879470809%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=HWZxebDeAX1vEx0Qyg066Seml3ODlr%2FxxKoAWYvFQhc%3D&reserved=0)
> +
> +**Note:** after the triage, encrypted issue details shall be sent to the upstream
> +'qemu-security' mailing list for archival purposes.
> +
> +## How to report an issue:
> +
> +* Please include as many details as possible in the issue report.
> + Ex:
> + - QEMU version, upstream commit/tag
> + - Host & Guest architecture x86/Arm/PPC, 32/64 bit etc.
> + - Affected code area/snippets
> + - Stack traces, crash details
> + - Malicious inputs/reproducer steps etc.
> + - Any configurations/settings required to trigger the issue.
> +
> +* Please share the QEMU command line used to invoke a guest VM.
> +
> +* Please specify whom to acknowledge for reporting this issue.
> +
> +## How we respond:
> +
> +* Process of handling security issues comprises following steps:
> +
> + 0) **Acknowledge:**
> + - A non-automated response email is sent to the reporter(s) to acknowledge
> + the reception of the report. (*60 day's counter starts here*)
> +
> + 1) **Triage:**
> + - Examine the issue details and confirm whether the issue is genuine
> + - Validate if it can be misused for malicious purposes
> + - Determine its worst case impact and severity
> + [Low/Moderate/Important/Critical]
> +
> + 2) **Response:**
> + - Negotiate embargo timeline (if required, depending on severity)
> + - Request a [CVE](https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcveform.mitre.org%2F&data=04%7C01%7Cmichael.roth%40amd.com%7C513aba522bf0449271f908d897981c81%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637426026879470809%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=tX%2FfJOD5YLlBiub1eq0Wzo1eXaMI30U2x76JnSRTM0k%3D&reserved=0) and open an upstream
> + [bug](https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.qemu.org%2Fcontribute%2Freport-a-bug%2F&data=04%7C01%7Cmichael.roth%40amd.com%7C513aba522bf0449271f908d897981c81%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637426026879470809%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=sNNjhfl3KhOEnmEnIX4st9%2FJtxVWQVHAnN4xCpRTrgs%3D&reserved=0)
> + - Create an upstream fix patch annotated with
> + - CVE-ID
> + - Link to an upstream bugzilla
> + - Reported-by, Tested-by etc. tags
> + - Once the patch is merged, close the upstream bug with a link to the
> + commit
> + - Fixed in: <commit hash/link>
> +
> +* Above security lists are operated by select analysts, maintainers and/or
> + representatives from downstream communities.
> +
> +* List members follow a **responsible disclosure** policy. Any non-public
> + information you share about security issues, is kept confidential within
> + members of the QEMU security team and a minimal supporting staff in their
> + affiliated companies. Such information will not be disclosed to third party
> + organisations/individuals without prior permission from the reporter(s).
> +
> +* We aim to process security issues within maximum of **60 days**. That is not
> + to say that issues will remain private for 60 days, nope. After the triaging
> + step above
> + - If severity of the issue is sufficiently low, an upstream public bug
> + will be created immediately.
> + - If severity of the issue requires co-ordinated disclosure at a future
> + date, then the embargo process below is followed, and upstream bug will
> + be opened at the end of the embargo period.
> +
> + This will allow upstream contributors to create, test and track fix patch(es).
>
> ### Publication embargo
>
> -If a security issue is reported that is not already publicly disclosed, an
> -embargo date may be assigned and communicated to the reporter. Embargo
> -periods will be negotiated by mutual agreement between members of the security
> -team and other relevant parties to the problem. Members of the security contact
> -list agree not to publicly disclose any details of the security issue until
> -the embargo date expires.
> +* If a security issue is reported that is not already public and its severity
> + requires coordinated disclosure, then an embargo date will be set and
> + communicated to the reporter(s).
> +
> +* Embargo periods will be negotiated by mutual agreement between reporter(s),
> + members of the security list and other relevant parties to the problem.
> + The preferred embargo period is upto [2
> + weeks](https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Foss-security.openwall.org%2Fwiki%2Fmailing-lists%2Fdistros&data=04%7C01%7Cmichael.roth%40amd.com%7C513aba522bf0449271f908d897981c81%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637426026879470809%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=cfAc%2B9w%2BDt6KsGgZtaOG%2BLfaVbZ637L2fYLINX1Qhng%3D&reserved=0).
> + However, longer embargoes may be negotiated if the severity of the issue
> + requires it.
> +
> +* Members of the security list agree not to publicly disclose any details of
> + an embargoed security issue until its embargo date expires.
>
> ### CVE allocation
>
> -An security issue is assigned with a CVE number. The CVE numbers will usually
> -be allocated by one of the vendor security engineers on the security contact
> -list.
> +Each security issue is assigned a [CVE](https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcveform.mitre.org%2F&data=04%7C01%7Cmichael.roth%40amd.com%7C513aba522bf0449271f908d897981c81%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637426026879470809%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=tX%2FfJOD5YLlBiub1eq0Wzo1eXaMI30U2x76JnSRTM0k%3D&reserved=0) number.
> +The CVE number is allocated by one of the vendor security engineers on the
> +security list.
>
> -## When to contact the QEMU Security Contact List
> +## When to contact the QEMU Security List
>
> -You should contact the Security Contact List if:
> +You should contact the Security List if:
> * You think there may be a security vulnerability in QEMU.
> * You are unsure about how a known vulnerability affects QEMU.
> * You can contact us in English. We are unable to respond in other languages.
>
> -## When *not* to contact the QEMU Security Contact List
> +## When *not* to contact the QEMU Security List
> * You need assistance in a language other than English.
> * You require technical assistance (for example, "how do I configure QEMU?").
> * You need help upgrading QEMU due to security alerts.
> @@ -76,6 +114,9 @@ You should contact the Security Contact List if:
>
> ## How impact and severity of a bug is decided
>
> +**Security criterion:**
> + -> [https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.qemu.org%2Fdocs%2Fmaster%2Fsystem%2Fsecurity.html&data=04%7C01%7Cmichael.roth%40amd.com%7C513aba522bf0449271f908d897981c81%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637426026879470809%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=YxhVZOXdQSSenKq%2BrLAp%2FRbbXAQUV1fpPw13Xj6TP18%3D&reserved=0](https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.qemu.org%2Fdocs%2Fmaster%2Fsystem%2Fsecurity.html&data=04%7C01%7Cmichael.roth%40amd.com%7C513aba522bf0449271f908d897981c81%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637426026879480803%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=QxrnZB67HVdg9B97FBcCNjP1Y%2F%2BSao4gn0X8ZVhh%2B2c%3D&reserved=0)
> +
> All security issues in QEMU are not equal. Based on the parts of the QEMU
> sources wherein the bug is found, its impact and severity could vary.
>
> @@ -122,8 +163,3 @@ used to write programs for the SoC device. In such developer environments, it
> is generally assumed that the guest is trusted.
>
> And thus, this buffer overflow turned out to be a security non-issue.
> -
> -## What to Send to the QEMU Security Contact List
> -
> -Please provide as much information about your system and the issue as possible
> -when contacting the list.
> --
> 2.28.0
>
Reviewed-by: Michael Roth <michael.roth@amd.com>
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH v2 1/1] security-process: update process information
2020-12-03 14:29 ` [PATCH v2 1/1] security-process: update process information P J P
` (3 preceding siblings ...)
2020-12-10 17:36 ` Michael Roth
@ 2020-12-10 21:14 ` Stefano Stabellini
2020-12-10 21:39 ` Konrad Rzeszutek Wilk
2021-01-14 15:26 ` Philippe Mathieu-Daudé
6 siblings, 0 replies; 11+ messages in thread
From: Stefano Stabellini @ 2020-12-10 21:14 UTC (permalink / raw)
To: P J P
Cc: peter.maydell, Stefano Stabellini, Petr Matousek,
Prasad J Pandit, Michael S . Tsirkin, Stefan Hajnoczi,
Konrad Rzeszutek Wilk, QEMU Developers, Darren Kenny,
Michael Roth, Daniel P . Berrangé
On Thu, 3 Dec 2020, P J P wrote:
> From: Prasad J Pandit <pjp@fedoraproject.org>
>
> We are about to introduce a qemu-security mailing list to report
> and triage QEMU security issues.
>
> Update the security process web page with new mailing list address
> and triage details.
>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Acked-by: Stefano Stabellini <sstabellini@kernel.org>
> ---
> contribute/security-process.md | 154 ++++++++++++++++++++-------------
> 1 file changed, 95 insertions(+), 59 deletions(-)
>
> Update v2: incorporate inputs from upstream reviews
> -> https://lists.nongnu.org/archive/html/qemu-devel/2020-12/msg00568.html
> -> https://lists.nongnu.org/archive/html/qemu-devel/2020-12/msg00584.html
>
> diff --git a/contribute/security-process.md b/contribute/security-process.md
> index 1239967..13b6b97 100644
> --- a/contribute/security-process.md
> +++ b/contribute/security-process.md
> @@ -3,72 +3,110 @@ title: Security Process
> permalink: /contribute/security-process/
> ---
>
> -QEMU takes security very seriously, and we aim to take immediate action to
> -address serious security-related problems that involve our product.
> -
> -Please report any suspected security vulnerability in QEMU to the following
> -addresses. You can use GPG keys for respective receipients to communicate with
> -us securely. If you do, please upload your GPG public key or supply it to us
> -in some other way, so that we can communicate to you in a secure way, too!
> -Please include the tag **\[QEMU-SECURITY\]** on the subject line to help us
> -identify your message as security-related.
> -
> -## QEMU Security Contact List
> -
> -Please copy everyone on this list:
> -
> - Contact Person(s) | Contact Address | Company | GPG Key | GPG key fingerprint
> -:-----------------------|:------------------------------|:--------------|:---------:|:--------------------
> - Michael S. Tsirkin | mst@redhat.com | Red Hat Inc. | [🔑](https://pgp.mit.edu/pks/lookup?op=vindex&search=0xC3503912AFBE8E67) | 0270 606B 6F3C DF3D 0B17 0970 C350 3912 AFBE 8E67
> - Petr Matousek | pmatouse@redhat.com | Red Hat Inc. | [🔑](https://pgp.mit.edu/pks/lookup?op=vindex&search=0x3E786F42C44977CA) | 8107 AF16 A416 F9AF 18F3 D874 3E78 6F42 C449 77CA
> - Stefano Stabellini | sstabellini@kernel.org | Independent | [🔑](https://pgp.mit.edu/pks/lookup?op=vindex&search=0x894F8F4870E1AE90) | D04E 33AB A51F 67BA 07D3 0AEA 894F 8F48 70E1 AE90
> - Security Response Team | secalert@redhat.com | Red Hat Inc. | [🔑](https://access.redhat.com/site/security/team/contact/#contact) |
> - Michael Roth | michael.roth@amd.com | AMD | [🔑](https://pgp.mit.edu/pks/lookup?op=vindex&search=0x3353C9CEF108B584) | CEAC C9E1 5534 EBAB B82D 3FA0 3353 C9CE F108 B584
> - Prasad J Pandit | pjp@redhat.com | Red Hat Inc. | [🔑](http://pool.sks-keyservers.net/pks/lookup?op=vindex&search=0xE2858B5AF050DE8D) | 8685 545E B54C 486B C6EB 271E E285 8B5A F050 DE8D
> -
> -## How to Contact Us Securely
> -
> -We use GNU Privacy Guard (GnuPG or GPG) keys to secure communications. Mail
> -sent to members of the list can be encrypted with public keys of all members
> -of the list. We expect to change some of the keys we use from time to time.
> -Should a key change, the previous one will be revoked.
> -
> -## How we respond
> -
> -Maintainers listed on the security reporting list operate a policy of
> -responsible disclosure. As such they agree that any information you share with
> -them about security issues that are not public knowledge is kept confidential
> -within respective affiliated companies. It is not passed on to any third-party,
> -including Xen Security Project, without your permission.
> -
> -Email sent to us is read and acknowledged with a non-automated response. For
> -issues that are complicated and require significant attention, we will open an
> -investigation and keep you informed of our progress. We might take one or more
> -of the following steps:
> +Please report any suspected security issue in QEMU to the security mailing
> +list at:
> +
> +* [\<qemu-security@nongnu.org\>](https://lists.nongnu.org/mailman/listinfo/qemu-security)
> +
> +To report an issue via [GPG](https://gnupg.org/) encrypted email, please send
> +it to the Red Hat Product Security team at:
> +
> +* [\<secalert@redhat.com\>](https://access.redhat.com/security/team/contact/#contact)
> +
> +**Note:** after the triage, encrypted issue details shall be sent to the upstream
> +'qemu-security' mailing list for archival purposes.
> +
> +## How to report an issue:
> +
> +* Please include as many details as possible in the issue report.
> + Ex:
> + - QEMU version, upstream commit/tag
> + - Host & Guest architecture x86/Arm/PPC, 32/64 bit etc.
> + - Affected code area/snippets
> + - Stack traces, crash details
> + - Malicious inputs/reproducer steps etc.
> + - Any configurations/settings required to trigger the issue.
> +
> +* Please share the QEMU command line used to invoke a guest VM.
> +
> +* Please specify whom to acknowledge for reporting this issue.
> +
> +## How we respond:
> +
> +* Process of handling security issues comprises following steps:
> +
> + 0) **Acknowledge:**
> + - A non-automated response email is sent to the reporter(s) to acknowledge
> + the reception of the report. (*60 day's counter starts here*)
> +
> + 1) **Triage:**
> + - Examine the issue details and confirm whether the issue is genuine
> + - Validate if it can be misused for malicious purposes
> + - Determine its worst case impact and severity
> + [Low/Moderate/Important/Critical]
> +
> + 2) **Response:**
> + - Negotiate embargo timeline (if required, depending on severity)
> + - Request a [CVE](https://cveform.mitre.org/) and open an upstream
> + [bug](https://www.qemu.org/contribute/report-a-bug/)
> + - Create an upstream fix patch annotated with
> + - CVE-ID
> + - Link to an upstream bugzilla
> + - Reported-by, Tested-by etc. tags
> + - Once the patch is merged, close the upstream bug with a link to the
> + commit
> + - Fixed in: <commit hash/link>
> +
> +* Above security lists are operated by select analysts, maintainers and/or
> + representatives from downstream communities.
> +
> +* List members follow a **responsible disclosure** policy. Any non-public
> + information you share about security issues, is kept confidential within
> + members of the QEMU security team and a minimal supporting staff in their
> + affiliated companies. Such information will not be disclosed to third party
> + organisations/individuals without prior permission from the reporter(s).
> +
> +* We aim to process security issues within maximum of **60 days**. That is not
> + to say that issues will remain private for 60 days, nope. After the triaging
> + step above
> + - If severity of the issue is sufficiently low, an upstream public bug
> + will be created immediately.
> + - If severity of the issue requires co-ordinated disclosure at a future
> + date, then the embargo process below is followed, and upstream bug will
> + be opened at the end of the embargo period.
> +
> + This will allow upstream contributors to create, test and track fix patch(es).
>
> ### Publication embargo
>
> -If a security issue is reported that is not already publicly disclosed, an
> -embargo date may be assigned and communicated to the reporter. Embargo
> -periods will be negotiated by mutual agreement between members of the security
> -team and other relevant parties to the problem. Members of the security contact
> -list agree not to publicly disclose any details of the security issue until
> -the embargo date expires.
> +* If a security issue is reported that is not already public and its severity
> + requires coordinated disclosure, then an embargo date will be set and
> + communicated to the reporter(s).
> +
> +* Embargo periods will be negotiated by mutual agreement between reporter(s),
> + members of the security list and other relevant parties to the problem.
> + The preferred embargo period is upto [2
> + weeks](https://oss-security.openwall.org/wiki/mailing-lists/distros).
> + However, longer embargoes may be negotiated if the severity of the issue
> + requires it.
> +
> +* Members of the security list agree not to publicly disclose any details of
> + an embargoed security issue until its embargo date expires.
>
> ### CVE allocation
>
> -An security issue is assigned with a CVE number. The CVE numbers will usually
> -be allocated by one of the vendor security engineers on the security contact
> -list.
> +Each security issue is assigned a [CVE](https://cveform.mitre.org/) number.
> +The CVE number is allocated by one of the vendor security engineers on the
> +security list.
>
> -## When to contact the QEMU Security Contact List
> +## When to contact the QEMU Security List
>
> -You should contact the Security Contact List if:
> +You should contact the Security List if:
> * You think there may be a security vulnerability in QEMU.
> * You are unsure about how a known vulnerability affects QEMU.
> * You can contact us in English. We are unable to respond in other languages.
>
> -## When *not* to contact the QEMU Security Contact List
> +## When *not* to contact the QEMU Security List
> * You need assistance in a language other than English.
> * You require technical assistance (for example, "how do I configure QEMU?").
> * You need help upgrading QEMU due to security alerts.
> @@ -76,6 +114,9 @@ You should contact the Security Contact List if:
>
> ## How impact and severity of a bug is decided
>
> +**Security criterion:**
> + -> [https://www.qemu.org/docs/master/system/security.html](https://www.qemu.org/docs/master/system/security.html)
> +
> All security issues in QEMU are not equal. Based on the parts of the QEMU
> sources wherein the bug is found, its impact and severity could vary.
>
> @@ -122,8 +163,3 @@ used to write programs for the SoC device. In such developer environments, it
> is generally assumed that the guest is trusted.
>
> And thus, this buffer overflow turned out to be a security non-issue.
> -
> -## What to Send to the QEMU Security Contact List
> -
> -Please provide as much information about your system and the issue as possible
> -when contacting the list.
> --
> 2.28.0
>
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH v2 1/1] security-process: update process information
2020-12-03 14:29 ` [PATCH v2 1/1] security-process: update process information P J P
` (4 preceding siblings ...)
2020-12-10 21:14 ` Stefano Stabellini
@ 2020-12-10 21:39 ` Konrad Rzeszutek Wilk
2021-01-14 15:26 ` Philippe Mathieu-Daudé
6 siblings, 0 replies; 11+ messages in thread
From: Konrad Rzeszutek Wilk @ 2020-12-10 21:39 UTC (permalink / raw)
To: P J P
Cc: peter.maydell, Stefano Stabellini, Petr Matousek,
Prasad J Pandit, Michael S . Tsirkin, Stefan Hajnoczi,
QEMU Developers, Darren Kenny, Michael Roth,
Daniel P . Berrangé
On Thu, Dec 03, 2020 at 06:29:02AM -0800, P J P wrote:
> From: Prasad J Pandit <pjp@fedoraproject.org>
>
> We are about to introduce a qemu-security mailing list to report
> and triage QEMU security issues.
>
> Update the security process web page with new mailing list address
> and triage details.
>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Thank you!
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH v2 1/1] security-process: update process information
2020-12-03 14:29 ` [PATCH v2 1/1] security-process: update process information P J P
` (5 preceding siblings ...)
2020-12-10 21:39 ` Konrad Rzeszutek Wilk
@ 2021-01-14 15:26 ` Philippe Mathieu-Daudé
2021-01-14 15:31 ` P J P
6 siblings, 1 reply; 11+ messages in thread
From: Philippe Mathieu-Daudé @ 2021-01-14 15:26 UTC (permalink / raw)
To: P J P, Stefan Hajnoczi
Cc: peter.maydell, Stefano Stabellini, Petr Matousek,
Prasad J Pandit, Michael S . Tsirkin, Michael Roth,
Konrad Rzeszutek Wilk, QEMU Developers, Darren Kenny,
Paolo Bonzini, Daniel P . Berrangé
Hi Prasad,
On 12/3/20 3:29 PM, P J P wrote:
> From: Prasad J Pandit <pjp@fedoraproject.org>
>
> We are about to introduce a qemu-security mailing list to report
> and triage QEMU security issues.
>
> Update the security process web page with new mailing list address
> and triage details.
>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> ---
> contribute/security-process.md | 154 ++++++++++++++++++++-------------
> 1 file changed, 95 insertions(+), 59 deletions(-)
What is the status of this, is something missing?
Thanks,
Phil.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH v2 1/1] security-process: update process information
2021-01-14 15:26 ` Philippe Mathieu-Daudé
@ 2021-01-14 15:31 ` P J P
2021-01-14 15:32 ` Philippe Mathieu-Daudé
0 siblings, 1 reply; 11+ messages in thread
From: P J P @ 2021-01-14 15:31 UTC (permalink / raw)
To: Philippe Mathieu-Daudé
Cc: peter.maydell, Stefano Stabellini, Petr Matousek,
Michael S . Tsirkin, Stefan Hajnoczi, Konrad Rzeszutek Wilk,
QEMU Developers, Darren Kenny, Paolo Bonzini, Michael Roth,
Daniel P . Berrangé
[-- Attachment #1: Type: text/plain, Size: 322 bytes --]
+-- On Thu, 14 Jan 2021, Philippe Mathieu-Daudé wrote --+
| What is the status of this, is something missing?
-> https://lists.gnu.org/archive/html/qemu-devel/2020-12/msg04469.html
It is up and running.^^
Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
8685 545E B54C 486B C6EB 271E E285 8B5A F050 DE8D
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH v2 1/1] security-process: update process information
2021-01-14 15:31 ` P J P
@ 2021-01-14 15:32 ` Philippe Mathieu-Daudé
0 siblings, 0 replies; 11+ messages in thread
From: Philippe Mathieu-Daudé @ 2021-01-14 15:32 UTC (permalink / raw)
To: P J P
Cc: peter.maydell, Stefano Stabellini, Petr Matousek,
Michael S . Tsirkin, Stefan Hajnoczi, Konrad Rzeszutek Wilk,
QEMU Developers, Darren Kenny, Paolo Bonzini, Michael Roth,
Daniel P . Berrangé
On 1/14/21 4:31 PM, P J P wrote:
> +-- On Thu, 14 Jan 2021, Philippe Mathieu-Daudé wrote --+
> | What is the status of this, is something missing?
>
> -> https://lists.gnu.org/archive/html/qemu-devel/2020-12/msg04469.html
>
> It is up and running.^^
Ah, this is a qemu-web patch, sorry...
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2021-01-14 15:36 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-12-03 14:29 [PATCH v2 0/1] security-process: update with mailing list details P J P
2020-12-03 14:29 ` [PATCH v2 1/1] security-process: update process information P J P
2020-12-03 14:38 ` Daniel P. Berrangé
2020-12-03 15:43 ` Darren Kenny
2020-12-10 14:17 ` Petr Matousek
2020-12-10 17:36 ` Michael Roth
2020-12-10 21:14 ` Stefano Stabellini
2020-12-10 21:39 ` Konrad Rzeszutek Wilk
2021-01-14 15:26 ` Philippe Mathieu-Daudé
2021-01-14 15:31 ` P J P
2021-01-14 15:32 ` Philippe Mathieu-Daudé
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).