9:05 a.m.
Hello All,
While looking through our unowned tickets via the links from the page here:
http://fedoraproject.org/wiki/Security_Team
I noticed that we were filtering on Priority and not Severity. Because
of this tickets here:
https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASS...
That have a severity rating of High, were being grouped under the
Unknown listing, since priority was unspecified.
I propose updating the links and any scripts to filter on Severity and
not Priority as we are concerned with the security impact and not the
projects chosen priority for the fix.
Any issues with that?
Thanks,
David
11:44 a.m.
Hello David,
On Thursday, 12 November 2015 8:35 PM, David Cafaro
<dac(a)cafaro.net> wrote:
https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASS...
It shows a single bug BZ#1209214, right? It appears to be filed by a user
and then converted into a 'SecurityTracking' bug. Generally
'SecurityTracking'
bugs are created by automated tools which set both priority and severity to
be same.[*]
ex:-> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-2927
-> https://bugzilla.redhat.com/show_bug.cgi?id=1279691
[*]-> https://bugzilla.redhat.com/page.cgi?id=fields.html#priority
That have a severity rating of High, were being grouped under the
Unknown listing, since priority was unspecified.
Most likely user missed to set the priority.
I propose updating the links and any scripts to filter on Severity
and
not Priority as we are concerned with the security impact and not the
projects chosen priority for the fix.
Any issues with that?
I think above case is a one off. We need not change the query
on the FST page, but if we must, we could include both 'priorty'
and 'severity' field in the query.
---Regards
-P J P
http://feedmug.com
12:21 p.m.
On 11/12/2015 12:44 PM, pjp(a)fedoraproject.org wrote:
> On Thursday, 12 November 2015 8:35 PM, David Cafaro
<dac(a)cafaro.net> wrote:
>
https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASS...
>
It shows a single bug BZ#1209214, right? It appears to be filed by a user
and then converted into a 'SecurityTracking' bug. Generally
'SecurityTracking'
bugs are created by automated tools which set both priority and severity to
be same.[*]
There had been two bugs in there, the other had no priority and no
severity. I mentioned it in the meeting this morning and Sparks updated
it with priority and severity.
It's good the automated tools do this, but it's good to catch the manual
ones like this as well.
That have a severity rating of High, were being grouped under the
Unknown listing, since priority was unspecified.
Most likely user missed to set the priority.
Yes, likely problem, but I see it happening again, I'm sure.
I think above case is a one off. We need not change the query
on the FST page, but if we must, we could include both 'priorty'
and 'severity' field in the query.
The above cases were one-off's but I expect them to happen again. Not
frequently, but they will happen again.
The main reason I suggest changing our filter is that the Priority is
likely something set according to the view of the developer/team in
regards to how it fits into their overall work backlog. The Severity is
a rating based how "bad" it is. From a security perspective we may
think of something as having a higher priority due to certain types of
Severity vs the developers Priority to working on the bug. Including
them both might be the best way to go.
Due to automation, as you point out, most of the time they will match.
But for manually reported stuff, which we are also trying to capture,
there may be differences between the two.
Thanks,
David
1:34 p.m.
On Thursday, November 12, 2015 01:21:24 PM David Cafaro wrote:
The main reason I suggest changing our filter is that the Priority
is
likely something set according to the view of the developer/team in
regards to how it fits into their overall work backlog. The Severity is
a rating based how "bad" it is. From a security perspective we may
think of something as having a higher priority due to certain types of
Severity vs the developers Priority to working on the bug.
Yeah, that was my thinking in that severity was the impact of the
vulnerability and priority was the priority of the fix to the devel team. The
automated tool uses the impact to set both fields but I think we should assume
that the devel team might change the priority.
For our numbers, I think we should be using severity to note the impact.
--Eric
8:24 p.m.
New subject: Done (was Re: Changing link filtering)
On Nov 12, 2015, at 10:05 AM, David Cafaro <dac(a)cafaro.net>
wrote:
Hello All,
While looking through our unowned tickets via the links from the page here:
http://fedoraproject.org/wiki/Security_Team
I noticed that we were filtering on Priority and not Severity. Because
of this tickets here:
https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASS...
That have a severity rating of High, were being grouped under the
Unknown listing, since priority was unspecified.
I propose updating the links and any scripts to filter on Severity and
not Priority as we are concerned with the security impact and not the
projects chosen priority for the fix.
Any issues with that?
So based on feed back from this thread and the IRC meeting today I update the unowned
search links on the FST page to search for both Severity and Priority, but independently.
That way if either priority or severity are set to say “high” it will show up in the list
of important vulnerabilities.
This change only caused one search result set change. There is now an additional ticket
showing up in the unowned Important list:
https://bugzilla.redhat.com/show_bug.cgi?id=1209214
I did not update the other links as once they are owned, we can fix the priority or
severity, or at minimum it’s now being tracked.
Cheers,
David
1:39 p.m.
New subject: Done (was Re: Changing link filtering)
On Thursday, December 03, 2015 09:24:44 PM David Cafaro wrote:
I did not update the other links as once they are owned, we can fix
the
priority or severity, or at minimum it’s now being tracked.
I just updated the ticket to medium/medium to match the CVE impact of
moderate.
--Eric
3064
days inactive
3086
days old
security-team@lists.fedoraproject.org
5 comments
3 participants
participants (3)
-
David Cafaro -
Eric Christensen -
P J P