##(see the SpecSpec for an explanation) * '''Launchpad Entry''': UbuntuSpec:security-karmic-usn-format * '''Created''': 2009-06-02 * '''Contributors''': jdstrand, kees, mdeslaur, mpt, sbeattie * '''Packages affected''': none * '''Status''': Implemented == Summary == Update the Ubuntu Security Notice (USN) format for better readability and integration with GUI tools. == Release Note == USNs go to the {{{ ubuntu-security-announce }}} mailing list and are published at http:///www.ubuntu.com/usn. The impact is considered minimal as the current format does not lend itself to scripting, but for those that do screen scraping, the new USN format will require users to update their scripts. == Rationale == The current USN format suffers from the following: * text only (ugly on website) * do not include some important information (on website) like checksums * explanatory text does is a weird mixture of end-user simplicity with admin jargon * information flow is wrong, need to put the important stuff first * email is incredibly long * has now GUI integration (update-manager displays the changelog text only) The new format will address these deficiencies. == User stories == Alice is alerted to a security update in update-manager (or other desktop application). She finds the changelog found in update-manager to be confusing and unhelpful. Brian is a system administrator for a large Ubuntu deployment and receives mail from {{{ ubuntu-security-announce }}}. The current format forces Brian to jump around the email for the most important information and does not explain in enough detail the problem which forces him to look at the changelog text to determine the priority of applying the updates. == Assumptions == * target audience is end users and administrators * should be in a format easy to extend to OPAL compliance * required information * title and date * software affected (upstream name) * affected releases * summary (for end-users) * description (technical, for admins) * update instructions * fixed package versions * CVE and bug references (hyperlinked if html) * package information in Launchpad (linked if html) * website and email * both need to look good and convey the necessary information. Provide very clean markup so CSS is easy * email should be very clean as well == Implementation == Use existing mechanisms such as usn-tool and simply modify the existing template. === Proposed format === The "Summary" section would show in Update Manager, while all sections would appear on ubuntu.com and be sent to the mailing list. {{{ ========================================================================== Ubuntu Security Notice USN-716-1 January 30, 2009 MoinMoin vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 8.10 - Ubuntu 8.04 LTS - Ubuntu 7.10 - Ubuntu 6.06 LTS Summary: MoinMoin could be pwnd, yo. ... Software description: - MoinMoin is... Details: Fernando Quintero discovered than MoinMoin did not properly sanitize its input when processing login requests, resulting in cross-site scripting (XSS) vulnerabilities. With cross-site scripting vulnerabilities, if a user were tricked into viewing server output during a crafted server request, a remote attacker could exploit this to modify the contents, or steal confidential data, within the same domain. This issue affected Ubuntu 7.10 and 8.04 LTS. (CVE-2008-0780) Fernando Quintero discovered that MoinMoin did not properly sanitize its input when attaching files, resulting in cross-site scripting vulnerabilities. This issue affected Ubuntu 6.06 LTS, 7.10 and 8.04 LTS. (CVE-2008-0781) It was discovered that MoinMoin did not properly sanitize its input when processing user forms. A remote attacker could submit crafted cookie values and overwrite arbitrary files via directory traversal. This issue affected Ubuntu 6.06 LTS, 7.10 and 8.04 LTS. (CVE-2008-0782) It was discovered that MoinMoin did not properly sanitize its input when editing pages, resulting in cross-site scripting vulnerabilities. This issue only affected Ubuntu 6.06 LTS and 7.10. (CVE-2008-1098) It was discovered that MoinMoin did not properly enforce access controls, which could allow a remoter attacker to view private pages. This issue only affected Ubuntu 6.06 LTS and 7.10. (CVE-2008-1099) It was discovered that MoinMoin did not properly sanitize its input when attaching files and using the rename parameter, resulting in cross-site scripting vulnerabilities. (CVE-2009-0260) It was discovered that MoinMoin did not properly sanitize its input when displaying error messages after processing spam, resulting in cross-site scripting vulnerabilities. (CVE-2009-0312) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 8.10: python-moinmoin 1.7.1-1ubuntu1.1 Ubuntu 8.04 LTS: python-moinmoin 1.5.8-5.1ubuntu2.2 Ubuntu 7.10: python-moinmoin 1.5.7-3ubuntu2.1 Ubuntu 6.06 LTS: python2.4-moinmoin 1.5.2-1ubuntu2.4 In general, a standard system update will make all the necessary changes. ATTENTION: abi fun fun fun ... References: CVE-2008-0780, CVE-2008-0781, CVE-2008-0782, CVE-2008-1098, CVE-2008-1099, CVE-2009-0260, CVE-2009-0312 https://bugs.launchpad.net/bug/123456 Package Information: https://launchpad.net/ubuntu/+source/moin/1.5.8-5.1ubuntu2.2 https://launchpad.net/ubuntu/+source/moin/1.5.8-5.1ubuntu2.2 https://launchpad.net/ubuntu/+source/moin/1.5.8-5.1ubuntu2.2 https://launchpad.net/ubuntu/+source/moin/1.5.8-5.1ubuntu2.2 }}} == Test/Demo Plan == Review changes with the DUX and website teams before rolling out. Template files are in bzr version control and can be rolled back if there is a problem. ---- CategorySpec