Ubuntu Wiki

Immutable Page
Info
Attachments

UpdateProcedures

Contents

Issues that warrant a security update

We only fix bugs in our stable releases which truly affect overall system security, i. e. which enable an attacker to circumvent the permissions configured on the system, or are a threat to the user's data in any way. Most common examples:

Buffer overflow in a server process which allows to crash it (denial of service) and/or to execute attacker provided code (privilege escalation).
Insecure temporary file handling which allows race condition and symlink attacks to delete unrelated files with the invoker's privileges.
Non-working security-relevant configuration options (e. g. iptables would allow packets which should be blocked, or a server's ACL option does not do the right thing).
Less critical bugs (like Denial of Service vulnerabilities in instant messengers or email applications) are also fixed usually, but with lower priority.

Responsibility

The Ubuntu Security team (security@ubuntu.com, Launchpad team ubuntu-security) is responsible for all issues that affect source packages in Ubuntu main and restricted and will work with upstreams (Canonical and other), distributions and developers in providing security fixes to Ubuntu.

The Ubuntu Security team also tracks issues in universe and multiverse and at their discretion may request a sync from Debian to solve vulnerabilities in packages in the current development release. Patches for flaws in packages from universe and multiverse for stable releases or for the development release when a sync from Debian is deemed too intrusive should be prepared by community members.

Preparing an update

Preparing an update requires a lot of effort and attention to detail. Ubuntu has millions of users who expect a very high level of stability in their system. To achieve a high level of quality, the process has be broken down into the following stages:

The MOTU and MOTU Swat developers are available to answer questions and provide assistance in preparing updates. The Ubuntu Security team will process updates from community and provide assistance as needed.

Remember: People can help with any stage of the process, so don't be shy-- get involved!

Releasing an update

Only members of the Ubuntu Security team can publish security updates into the security pocket for a given Ubuntu release. Updates are usually uploaded to and published from the private Ubuntu Security team PPA, though other teams may have their own PPAs that updates may be pulled from.

The Ubuntu Security team publishes updates from the following:

Team	Location	Availability	Publication Procedure
Ubuntu Security	Ubuntu Security PPA	private	UpdatePublication
Ubuntu Security Proposed	Ubuntu Security Proposed PPA	public	UpdatePublication
Mozilla Security	Mozilla Security PPA	public	ArchiveAdministration

For packages that have a special publication procedure such as the kernel or Mozilla updates, please also consult SecurityTeam/PublicationNotes.

Sponsoring an update

Please review the SponsorshipProcess and the SecurityTeam/SponsorsQueue.

Regressions

In the case of regressions caused by security updates, please follow the SRU regression policy.

CategorySecurityTeam CategoryProcess

SecurityTeam/UpdateProcedures (last edited 2019-09-16 14:57:57 by seth-arnold)

The material on this wiki is available under a free license, see Copyright / License for details.

URL: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

⇱ SecurityTeam/UpdateProcedures - Ubuntu Wiki