What is our SLA for going from reserved CVE to published CVE?

What is our SLA for going from reserved CVE to published CVE?

[Carlos O'Donell]

Raising this on libc-alpha for a broader discussion.

For CVE-2024-33599, CVE-2024-33600, CVE-2024-33601 and CVE-2024-33602
the glibc security team has not yet published the CVE IDs, only reserved
the block.

I have just completed filling in the advisories and have all the data
for publishing them along with publishing the CVE IDs [1].

I could have published the CVE IDs *earlier* but my reading of the CNA
rules is that:
~~~
2.2.3 SHOULD provide the CVE Record information within 24 hours of
publishing the CVE ID.
~~~

So once I publish the CVE ID I need to move quickly to fill in all the
record information... which I don't have until I complete the
advisory text.

For these CVE IDs it will have been ~7-8 days to publish, which is too
long IMO, but we can improve that.

Under embargo was certainly easier because the timeline gives us time
to write the advisory text and get it ready for publishing.

Would it be better if we just published interm text and updated as we go?

-- 
Cheers,
Carlos.

[1] https://inbox.sourceware.org/libc-alpha/20240502020121.3267018-1-carlos@redhat.com/T/#m749caf9d5b5e7093efe1bb2ae4cb413ec9749ad4

Re: What is our SLA for going from reserved CVE to published CVE?

[DJ Delorie]

"Carlos O'Donell" <carlos@redhat.com> writes:
> Would it be better if we just published interm text and updated as we go?

Putting on my "generic user" hat...

The point of a CVE is to let users know, as quickly as possible:

1. What happened

2. What, if anything, they need to do IMMEDIATELY

3. What the long-term solution would be

I think if you have some but not all of these, at least in the correct
order, publishing what you know and updating it later would be far
better than waiting - and letting the user be compromised - for a full
report later.  Especially if you have 1+2 but are waiting on 3.

So in the non-embargo case, I advocate for giving out information as we
have it.  It's better for the user and more in line with our "open"
philosophy.

Re: What is our SLA for going from reserved CVE to published CVE?

[Siddhesh Poyarekar]

On 2024-05-01 22:12, Carlos O'Donell wrote:
> Raising this on libc-alpha for a broader discussion.
> 
> For CVE-2024-33599, CVE-2024-33600, CVE-2024-33601 and CVE-2024-33602
> the glibc security team has not yet published the CVE IDs, only reserved
> the block.
> 
> I have just completed filling in the advisories and have all the data
> for publishing them along with publishing the CVE IDs [1].
> 
> I could have published the CVE IDs *earlier* but my reading of the CNA
> rules is that:
> ~~~
> 2.2.3 SHOULD provide the CVE Record information within 24 hours of
> publishing the CVE ID.
> ~~~
> 
> So once I publish the CVE ID I need to move quickly to fill in all the
> record information... which I don't have until I complete the
> advisory text.
> 
> For these CVE IDs it will have been ~7-8 days to publish, which is too
> long IMO, but we can improve that.
> 
> Under embargo was certainly easier because the timeline gives us time
> to write the advisory text and get it ready for publishing.
> 
> Would it be better if we just published interm text and updated as we go?

The CVE record tends to have a single line description that identifies 
affected functionality and versions, which I think we should be able to 
deliver when we reserve the CVE.  One thing I haven't tested yet is the 
feature to publish records at a specific future date.  If that works, we 
could make it part of our workflow to add a description at the time of 
CVE number reservation, regardless of embargo state.

Thanks,
Sid

Re: What is our SLA for going from reserved CVE to published CVE?

[Florian Weimer]

* Siddhesh Poyarekar:

> On 2024-05-01 22:12, Carlos O'Donell wrote:
>> Would it be better if we just published interm text and updated as
>> we go?
>
> The CVE record tends to have a single line description that identifies
> affected functionality and versions, which I think we should be able
> to deliver when we reserve the CVE.

I think this would be best, yes.

> One thing I haven't tested yet is the feature to publish records at a
> specific future date.  If that works, we could make it part of our
> workflow to add a description at the time of CVE number reservation,
> regardless of embargo state.

It may make things more complicated because you have to remember to
adjust the pending publication data whenever things evolve during the
embargo phase.  The time-based publication also seems a bit scary.

Thanks,
Florian

Re: What is our SLA for going from reserved CVE to published CVE?

[Carlos O'Donell]

On 5/2/24 6:46 AM, Florian Weimer wrote:
> * Siddhesh Poyarekar:
> 
>> On 2024-05-01 22:12, Carlos O'Donell wrote:
>>> Would it be better if we just published interm text and updated as
>>> we go?
>>
>> The CVE record tends to have a single line description that identifies
>> affected functionality and versions, which I think we should be able
>> to deliver when we reserve the CVE.
> 
> I think this would be best, yes.

Just for clarity, reservation does not require any updates.

I would have to *publish* the CVE IDs with *minimal* data to meet the CNA rules.

This includes having a valid public link, which means I need to also commit minimal
text to the advisories/ directory for the link to be valid.

Are we agreeing to a minimal publishing regime followed by an update?

-- 
Cheers,
Carlos.

Re: What is our SLA for going from reserved CVE to published CVE?

[Siddhesh Poyarekar]

On 2024-05-15 14:32, Carlos O'Donell wrote:
> On 5/2/24 6:46 AM, Florian Weimer wrote:
>> * Siddhesh Poyarekar:
>>
>>> On 2024-05-01 22:12, Carlos O'Donell wrote:
>>>> Would it be better if we just published interm text and updated as
>>>> we go?
>>>
>>> The CVE record tends to have a single line description that identifies
>>> affected functionality and versions, which I think we should be able
>>> to deliver when we reserve the CVE.
>>
>> I think this would be best, yes.
> 
> Just for clarity, reservation does not require any updates.
> 
> I would have to *publish* the CVE IDs with *minimal* data to meet the CNA rules.
> 
> This includes having a valid public link, which means I need to also commit minimal
> text to the advisories/ directory for the link to be valid.
> 
> Are we agreeing to a minimal publishing regime followed by an update?
> 

Yes.

Sid

Re: What is our SLA for going from reserved CVE to published CVE?

[Adhemerval Zanella Netto]

On 15/05/24 20:36, Siddhesh Poyarekar wrote:
> On 2024-05-15 14:32, Carlos O'Donell wrote:
>> On 5/2/24 6:46 AM, Florian Weimer wrote:
>>> * Siddhesh Poyarekar:
>>>
>>>> On 2024-05-01 22:12, Carlos O'Donell wrote:
>>>>> Would it be better if we just published interm text and updated as
>>>>> we go?
>>>>
>>>> The CVE record tends to have a single line description that identifies
>>>> affected functionality and versions, which I think we should be able
>>>> to deliver when we reserve the CVE.
>>>
>>> I think this would be best, yes.
>>
>> Just for clarity, reservation does not require any updates.
>>
>> I would have to *publish* the CVE IDs with *minimal* data to meet the CNA rules.
>>
>> This includes having a valid public link, which means I need to also commit minimal
>> text to the advisories/ directory for the link to be valid.
>>
>> Are we agreeing to a minimal publishing regime followed by an update?
>>
> 
> Yes.
> 
> Sid
> 

Agreed as well.

Re: What is our SLA for going from reserved CVE to published CVE?

[Carlos O'Donell]

On 5/16/24 3:21 AM, Adhemerval Zanella Netto wrote:
> 
> 
> On 15/05/24 20:36, Siddhesh Poyarekar wrote:
>> On 2024-05-15 14:32, Carlos O'Donell wrote:
>>> On 5/2/24 6:46 AM, Florian Weimer wrote:
>>>> * Siddhesh Poyarekar:
>>>>
>>>>> On 2024-05-01 22:12, Carlos O'Donell wrote:
>>>>>> Would it be better if we just published interm text and updated as
>>>>>> we go?
>>>>>
>>>>> The CVE record tends to have a single line description that identifies
>>>>> affected functionality and versions, which I think we should be able
>>>>> to deliver when we reserve the CVE.
>>>>
>>>> I think this would be best, yes.
>>>
>>> Just for clarity, reservation does not require any updates.
>>>
>>> I would have to *publish* the CVE IDs with *minimal* data to meet the CNA rules.
>>>
>>> This includes having a valid public link, which means I need to also commit minimal
>>> text to the advisories/ directory for the link to be valid.
>>>
>>> Are we agreeing to a minimal publishing regime followed by an update?
>>>
>>
>> Yes.
>>
>> Sid
>>
> 
> Agreed as well.
> 

Done. That is the entire glibc security team in agreement, we'll publish minimal
updates for *public* CVEs to avoid the delay between reservation and publishing.
This allows downstream to be alerted to the issue early. This also means we have
consensus to push advisories/ files with those minimal updates and follow-up with
review of final patches with full text.

-- 
Cheers,
Carlos.