Project

General

Profile

Suggestion: Replicant security matrix

Added by Daniel Kulesz over 8 years ago

With all these android CVEs from the last months, it is pretty difficult to keep track of security issues in replicant. Therefore, I suggest creating a matrix / table in the wiki with the following columns:

ID (with link to the CVE or other sources)
Status (reported, under investigation, investigation completed)
Affected replicant versions (values can be also "unknown")
Replicant versions not affected
Replicant fixes (with links to commits)
More information (links i.e. to a discussion in this forum)

Of course, this could be also handled by the redmine issues provided we would have a "security" tracker or something like this.


Replies (4)

RE: Suggestion: Replicant security matrix - Added by Paul Kocialkowski over 8 years ago

Of course, this could be also handled by the redmine issues provided we would have a "security" tracker or something like this.

We do! I suggest we keep things in the tracker since it's definitely "where it belongs". It's not that hard to keep track of it in the future either.

RE: Suggestion: Replicant security matrix - Added by Daniel Kulesz over 8 years ago

I see. Well, sometimes there is one ticket per security issue, but sometimes multiple security issues are handled in just one ticket. Maybe we could split them up and also use more meaningful titles, like the CVE-identifier first?

RE: Suggestion: Replicant security matrix - Added by My Self over 8 years ago

sometimes there is one ticket per security issue, but sometimes multiple security issues are handled in just one ticket.
Maybe we could split them up and also use more meaningful titles, like the CVE-identifier first?

But why exactly? Isn't the redmine-search enough? If you searching for a specific CVE, you'll get an result, even if the CVE-number is not in the title of every single vulnerability.

For example, if you check [X] issues and [X] messages and searching for 'CVE-2015' you'll get results from the issues (and see if somebody has already submitted the informations and/or patches) and also if the CVE would be under the 'NOT affected thread' (http://redmine.replicant.us/boards/39/topics/8283?r=10461) or somewhere else in the forum.
Example string: http://redmine.replicant.us/search/index/replicant?q=CVE-2015&scope=&all_words=&all_words=1&titles_only=&issues=1&messages=1&submit=Submit

What exactly would be the benefit you see, which would justify the effort to keep such an extra created list up to date?

RE: Suggestion: Replicant security matrix - Added by Daniel Kulesz over 8 years ago

If you are searching for a specific CVE - yes. But not the other way round, if you don't know which CVEs are there and you would like to "browse" the current status. This would allow to better keep track of open/resolved issues and give a clear picture of "how vulnerable" the current version actually is (in terms of known security issues).

And I'm not saying we should keep an extra list (I did in my original posting, but having this in issues is fine!), but that we should have one ticket per security issue.

    (1-4/4)