canmove, Confirmed users
637
edits
Security/Firefox/Security Bug Life Cycle: Difference between revisions
Security/Firefox/Security Bug Life Cycle (view source)
Revision as of 06:58, 10 March 2020
, 10 March 2020Fixing queries to find older fixed bugs
(Link to document that supports the use of P1 for severe security bugs) |
(Fixing queries to find older fixed bugs) |
||
| (6 intermediate revisions by 3 users not shown) | |||
| Line 54: | Line 54: | ||
[https://bugzilla.mozilla.org/buglist.cgi?quicksearch=class%3Aclient%2Ccomp%20kw:sec-high%2Csec-critical%20-kw:stalled&order=Last+Changed '''Open sec-critical and sec-high bugs'''] ([https://bugzilla.mozilla.org/buglist.cgi?quicksearch=class%3Aclient%2Ccomp%20kw:sec-high%2Csec-critical&order=Last+Changed include stalled]) <br> | [https://bugzilla.mozilla.org/buglist.cgi?quicksearch=class%3Aclient%2Ccomp%20kw:sec-high%2Csec-critical%20-kw:stalled&order=Last+Changed '''Open sec-critical and sec-high bugs'''] ([https://bugzilla.mozilla.org/buglist.cgi?quicksearch=class%3Aclient%2Ccomp%20kw:sec-high%2Csec-critical&order=Last+Changed include stalled]) <br> | ||
[https://bugzilla.mozilla.org/buglist.cgi?quicksearch=class%3Aclient%2Ccomp%20kw:sec-high%2Csec-critical%20-kw:stalled%20%40nobody '''Unassigned sec-critical/sec-high bugs'''] ([https://bugzilla.mozilla.org/buglist.cgi?quicksearch=class%3Aclient%2Ccomp%20kw:sec-high%2Csec-critical%20%40nobody include stalled]) | [https://bugzilla.mozilla.org/buglist.cgi?quicksearch=class%3Aclient%2Ccomp%20kw:sec-high%2Csec-critical%20-kw:stalled%20%40nobody '''Unassigned sec-critical/sec-high bugs''']([https://bugzilla.mozilla.org/buglist.cgi?quicksearch=class%3Aclient%2Ccomp%20kw:sec-high%2Csec-critical%20%40nobody include stalled])<br> | ||
[https://mzl.la/2PJblUW '''Sec-critical/sec-high bugs without a priority'''] | |||
== Administrivia == | == Administrivia == | ||
| Line 84: | Line 85: | ||
== Landing Fixes == | == Landing Fixes and Tests == | ||
External parties watch check-ins in order to identify security patches [https://blog.exodusintel.com/2019/09/09/patch-gapping-chrome/][https://googleprojectzero.blogspot.com/2019/08/jsc-exploits.html], and we have both documented and suspected cases of this for Firefox patches. We don’t want to 0-day ourselves by landing obvious fixes that sit in the tree for a long time before they are shipped in an update, and we especially don't want to land test cases that demonstrate how to trigger the vulnerability. The [https://wiki.mozilla.org/Security/Bug_Approval_Process '''Security Bug Approval Process'''] is designed to prevent that. Part of the approval process is evaluating what bugs need to be pushed to Beta and which are risky and need to ride the trains, and whether or not the patch is needed on supported ESR branches. | External parties watch check-ins in order to identify security patches [https://blog.exodusintel.com/2019/09/09/patch-gapping-chrome/][https://googleprojectzero.blogspot.com/2019/08/jsc-exploits.html], and we have both documented and suspected cases of this for Firefox patches. We don’t want to 0-day ourselves by landing obvious fixes that sit in the tree for a long time before they are shipped in an update, and we especially don't want to land test cases that demonstrate how to trigger the vulnerability. The [https://wiki.mozilla.org/Security/Bug_Approval_Process '''Security Bug Approval Process'''] is designed to prevent that. Part of the approval process is evaluating what bugs need to be pushed to Beta and which are risky and need to ride the trains, and whether or not the patch is needed on supported ESR branches. | ||
| Line 96: | Line 97: | ||
[https://bugzilla.mozilla.org/buglist.cgi? | [https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&f3=status_whiteboard&j2=OR&f5=CP&v1=in-testsuite%3F&v4=sec-&o1=substring&o4=substring&f1=flagtypes.name&f4=keywords&f2=OP&v3=%5Bsg%3A&emailassigned_to1=1&emailtype1=substring&email1=%25user%25&o3=substring&list_id=15143453 '''"My" security testcases that need landing'''] (personalized)<br> | ||
[https://bugzilla.mozilla.org/buglist.cgi? | [https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&f3=status_whiteboard&j2=OR&f5=CP&v1=in-testsuite%3F&v4=sec-&o1=substring&o4=substring&f1=flagtypes.name&f4=keywords&f2=OP&v3=%5Bsg%3A&o3=substring&limit=0 '''All unlanded testcases for fixed security bugs''']<br> | ||
[https://bugzilla.mozilla.org/buglist.cgi?quicksearch=ALL%20sec-approval%3F '''Pending sec-approval requests'''] | [https://bugzilla.mozilla.org/buglist.cgi?quicksearch=ALL%20sec-approval%3F '''Pending sec-approval requests'''] | ||
<br> | <br> | ||
| Line 114: | Line 115: | ||
== Security Advisories == | == Security Advisories == | ||
The fixed bugs that had been present in a shipped release need to have a CVE assigned and to be written up in our release advisories. Security fixes for recent regressions that only affected Nightly or Beta don’t need an advisory. [https:// | The fixed bugs that had been present in a shipped release need to have a CVE assigned and to be written up in our release advisories. Security fixes for recent regressions that only affected Nightly or Beta don’t need an advisory. [https://wiki.mozilla.org/Security/Firefox/Security_Bug_Life_Cycle/Security_Advisories Advisory instructions] | ||
For historical write-ups see our | For historical write-ups see our | ||