USNSpec

  • Launchpad Entry: security-karmic-usn-format

  • Created: 2009-06-02

  • Contributors: jdstrand, kees, mdeslaur, mpt, sbeattie

  • Packages affected: none

  • Status: Implemented

Summary

Update the Ubuntu Security Notice (USN) format for better readability and integration with GUI tools.

Release Note

USNs go to the  ubuntu-security-announce  mailing list and are published at http:///www.ubuntu.com/usn. The impact is considered minimal as the current format does not lend itself to scripting, but for those that do screen scraping, the new USN format will require users to update their scripts.

Rationale

The current USN format suffers from the following:

  • text only (ugly on website)
  • do not include some important information (on website) like checksums
  • explanatory text does is a weird mixture of end-user simplicity with admin jargon
  • information flow is wrong, need to put the important stuff first
  • email is incredibly long
  • has now GUI integration (update-manager displays the changelog text only)

The new format will address these deficiencies.

User stories

Alice is alerted to a security update in update-manager (or other desktop application). She finds the changelog found in update-manager to be confusing and unhelpful.

Brian is a system administrator for a large Ubuntu deployment and receives mail from  ubuntu-security-announce . The current format forces Brian to jump around the email for the most important information and does not explain in enough detail the problem which forces him to look at the changelog text to determine the priority of applying the updates.

Assumptions

  • target audience is end users and administrators
  • should be in a format easy to extend to OPAL compliance
  • required information
    • title and date
    • software affected (upstream name)
    • affected releases
    • summary (for end-users)
    • description (technical, for admins)
    • update instructions
    • fixed package versions
    • CVE and bug references (hyperlinked if html)
    • package information in Launchpad (linked if html)
  • website and email
    • both need to look good and convey the necessary information. Provide very clean markup so CSS is easy
    • email should be very clean as well

Implementation

Use existing mechanisms such as usn-tool and simply modify the existing template.

Proposed format

The "Summary" section would show in Update Manager, while all sections would appear on ubuntu.com and be sent to the mailing list. 

==========================================================================
Ubuntu Security Notice USN-716-1
January 30, 2009

MoinMoin vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 8.10
- Ubuntu 8.04 LTS
- Ubuntu 7.10
- Ubuntu 6.06 LTS

Summary:

MoinMoin could be pwnd, yo.  ...

Software description:
- MoinMoin is...

Details:

Fernando Quintero discovered than MoinMoin did not properly sanitize its
input when processing login requests, resulting in cross-site scripting (XSS)
vulnerabilities. With cross-site scripting vulnerabilities, if a user were
tricked into viewing server output during a crafted server request, a remote
attacker could exploit this to modify the contents, or steal confidential data,
within the same domain. This issue affected Ubuntu 7.10 and 8.04 LTS.
(CVE-2008-0780)

Fernando Quintero discovered that MoinMoin did not properly sanitize its input
when attaching files, resulting in cross-site scripting vulnerabilities. This
issue affected Ubuntu 6.06 LTS, 7.10 and 8.04 LTS. (CVE-2008-0781)

It was discovered that MoinMoin did not properly sanitize its input when
processing user forms. A remote attacker could submit crafted cookie values and
overwrite arbitrary files via directory traversal. This issue affected Ubuntu
6.06 LTS, 7.10 and 8.04 LTS. (CVE-2008-0782)

It was discovered that MoinMoin did not properly sanitize its input when
editing pages, resulting in cross-site scripting vulnerabilities. This issue
only affected Ubuntu 6.06 LTS and 7.10. (CVE-2008-1098)

It was discovered that MoinMoin did not properly enforce access controls,
which could allow a remoter attacker to view private pages. This issue only
affected Ubuntu 6.06 LTS and 7.10. (CVE-2008-1099)

It was discovered that MoinMoin did not properly sanitize its input when
attaching files and using the rename parameter, resulting in cross-site
scripting vulnerabilities. (CVE-2009-0260)

It was discovered that MoinMoin did not properly sanitize its input when
displaying error messages after processing spam, resulting in cross-site
scripting vulnerabilities. (CVE-2009-0312)

Update instructions:

The problem can be corrected by updating your system to the
following package versions:

Ubuntu 8.10:
  python-moinmoin           1.7.1-1ubuntu1.1

Ubuntu 8.04 LTS:
  python-moinmoin           1.5.8-5.1ubuntu2.2

Ubuntu 7.10:
  python-moinmoin           1.5.7-3ubuntu2.1

Ubuntu 6.06 LTS:
  python2.4-moinmoin        1.5.2-1ubuntu2.4

In general, a standard system update will make all the necessary changes.

ATTENTION: abi fun fun fun
...

References:
  CVE-2008-0780, CVE-2008-0781, CVE-2008-0782, CVE-2008-1098,
  CVE-2008-1099, CVE-2009-0260, CVE-2009-0312
  https://bugs.launchpad.net/bug/123456

Package Information:
  https://launchpad.net/ubuntu/+source/moin/1.5.8-5.1ubuntu2.2
  https://launchpad.net/ubuntu/+source/moin/1.5.8-5.1ubuntu2.2
  https://launchpad.net/ubuntu/+source/moin/1.5.8-5.1ubuntu2.2
  https://launchpad.net/ubuntu/+source/moin/1.5.8-5.1ubuntu2.2

Test/Demo Plan

Review changes with the DUX and website teams before rolling out. Template files are in bzr version control and can be rolled back if there is a problem.

CategorySpec

SecurityTeam/Specifications/USNSpec (last edited 2011-04-14 16:53:19 by pool-71-114-233-7)