ubuntu-packaging-guide-html 0.3.7 / usr / share / doc / ubuntu-packaging-guide-html / security-and-stable-release-updates.html

This file is indexed.

/usr/share/doc/ubuntu-packaging-guide-html/security-and-stable-release-updates.html is in ubuntu-packaging-guide-html 0.3.7.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below. 

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    
    <title>7. Security and Stable Release Updates &mdash; Ubuntu Packaging Guide</title>
    <link rel="shortcut icon" href="./_static/images/favicon.ico" type="image/x-icon" />
    <link rel="stylesheet" href="./_static/reset.css" type="text/css" />
    <link rel="stylesheet" href="./_static/960.css" type="text/css" />
    <link rel="stylesheet" href="./_static/base.css" type="text/css" />
    <link rel="stylesheet" href="./_static/home.css" type="text/css" />
    <link rel="stylesheet" href="./_static/pygments.css" type="text/css" />
    <link rel="stylesheet" href="./_static/guide.css" type="text/css" />
    <script type="text/javascript">
      var DOCUMENTATION_OPTIONS = {
        URL_ROOT:    '../',
        VERSION:     '0.3.7',
        COLLAPSE_INDEX: false,
        FILE_SUFFIX: '.html',
        HAS_SOURCE:  true
      };
    </script>
    <script type="text/javascript" src="./_static/jquery.js"></script>
    <script type="text/javascript" src="./_static/underscore.js"></script>
    <script type="text/javascript" src="./_static/doctools.js"></script>
    
    <script type="text/javascript" src="./_static/main.js"></script>
    <link rel="top" title="Ubuntu Packaging Guide" href="./index.html" />
    <link rel="next" title="8. Patches to Packages" href="patches-to-packages.html" />
    <link rel="prev" title="6. Packaging New Software" href="packaging-new-software.html" /> 
  </head>
  <body class="home">
  <a name="top"></a>

<div class="header-navigation">
    <div>
      <nav role="navigation">
        <ul>
          <li class="page_item current_page_item"><a title="Contents" href="index.html">Contents</a>
          <li>
            <form id="form-search" method="get" action="search.html">
              <fieldset>
                <input id="input-search" type="text" name="q" value="Search" />
              </fieldset>
            </form>
          </li>
        </ul>
      </nav>
      <a class="logo-ubuntu" href="http://packaging.ubuntu.com/">
        <img src="./_static/images/logo-ubuntu.png" width="119" height="27" alt="Ubuntu logo" />
      </a>
      <a href="http://packaging.ubuntu.com/"><h2>Packaging Guide</h2></a>
    </div>
  </div>
<div class="header-content">
    <div class="clearfix">
  <div class="header-navigation-secondary">
    <div>
          <nav role="navigation">
            <ul class="clearfix">
	        <li class="page_item"><a style="margin-right: 10px" 
	        href="patches-to-packages.html" title="8. Patches to Packages"
	        accesskey="N">next</a></li>
	        <li class="page_item"><a  
	        href="packaging-new-software.html" title="6. Packaging New Software"
	        accesskey="P">previous</a></li>
        <li class="page_item"><a class="sub-nav-item" href="index.html">Ubuntu Packaging Guide  &raquo;</a></li> 
      </ul>
    </nav>
  </div>
</div>
</div>
</div>
  
<div id="content" class="body container_12">
  <div class="grid_12">  

     <!--<section id="main-section">-->

    <div class="grid_9 alpha">
		
    
  <div class="section" id="security-and-stable-release-updates">
<h1>7. Security and Stable Release Updates<a class="headerlink" href="#security-and-stable-release-updates" title="Permalink to this headline"></a></h1>
<div class="section" id="fixing-a-security-bug-in-ubuntu">
<h2>7.1. Fixing a Security Bug in Ubuntu<a class="headerlink" href="#fixing-a-security-bug-in-ubuntu" title="Permalink to this headline"></a></h2>
<div class="section" id="introduction">
<h3>7.1.1. Introduction<a class="headerlink" href="#introduction" title="Permalink to this headline"></a></h3>
<p>Fixing security bugs in Ubuntu is not really any different than <a class="reference internal" href="fixing-a-bug.html"><em>fixing a
regular bug in Ubuntu</em></a>, and it is assumed that you are familiar
with patching normal bugs. To demonstrate where things are different, we will
be updating the dbus package in Ubuntu 12.04 LTS (Precise Pangolin) for a security
update.</p>
</div>
<div class="section" id="obtaining-the-source">
<h3>7.1.2. Obtaining the source<a class="headerlink" href="#obtaining-the-source" title="Permalink to this headline"></a></h3>
<p>In this example, we already know we want to fix the dbus package in Ubuntu
12.04 LTS (Precise Pangolin). So first you need to determine the version of the
package you want to download. We can use the <tt class="docutils literal"><span class="pre">rmadison</span></tt> to help with this:</p>
<div class="highlight-python"><div class="highlight"><pre>$ rmadison dbus | grep precise
dbus | 1.4.18-1ubuntu1   | precise          | source, amd64, armel, armhf, i386, powerpc
dbus | 1.4.18-1ubuntu1.4 | precise-security | source, amd64, armel, armhf, i386, powerpc
dbus | 1.4.18-1ubuntu1.4 | precise-updates  | source, amd64, armel, armhf, i386, powerpc
</pre></div>
</div>
<p>Typically you will want to choose the highest version for the release you want
to patch that is not in -proposed or -backports. Since we are updating Precise&#8217;s
dbus, you&#8217;ll download 1.4.18-1ubuntu1.4 from precise-updates:</p>
<div class="highlight-python"><div class="highlight"><pre>$ bzr branch ubuntu:precise-updates/dbus
</pre></div>
</div>
</div>
<div class="section" id="patching-the-source">
<h3>7.1.3. Patching the source<a class="headerlink" href="#patching-the-source" title="Permalink to this headline"></a></h3>
<p>Now that we have the source package, we need to patch it to fix the
vulnerability. You may use whatever patch method that is appropriate for the
package, including <a class="reference internal" href="udd-intro.html"><em>UDD techniques</em></a>, but this example will
use <tt class="docutils literal"><span class="pre">edit-patch</span></tt> (from the ubuntu-dev-tools package). <tt class="docutils literal"><span class="pre">edit-patch</span></tt> is the
easiest way to patch packages and it is basically a wrapper around every other
patch system you can imagine.</p>
<p>To create your patch using <tt class="docutils literal"><span class="pre">edit-patch</span></tt>:</p>
<div class="highlight-python"><div class="highlight"><pre>$ cd dbus
$ edit-patch 99-fix-a-vulnerability
</pre></div>
</div>
<p>This will apply the existing patches and put the packaging in a temporary
directory. Now edit the files needed to fix the vulnerability.  Often upstream
will have provided a patch so you can apply that patch:</p>
<div class="highlight-python"><div class="highlight"><pre>$ patch -p1 &lt; /home/user/dbus-vulnerability.diff
</pre></div>
</div>
<p>After making the necessary changes, you just hit Ctrl-D or type exit to
leave the temporary shell.</p>
</div>
<div class="section" id="formatting-the-changelog-and-patches">
<h3>7.1.4. Formatting the changelog and patches<a class="headerlink" href="#formatting-the-changelog-and-patches" title="Permalink to this headline"></a></h3>
<p>After applying your patches you will want to update the changelog. The <tt class="docutils literal"><span class="pre">dch</span></tt>
command is used to edit the <tt class="docutils literal"><span class="pre">debian/changelog</span></tt> file and <tt class="docutils literal"><span class="pre">edit-patch</span></tt> will
launch <tt class="docutils literal"><span class="pre">dch</span></tt> automatically after un-applying all the patches. If you are not
using <tt class="docutils literal"><span class="pre">edit-patch</span></tt>, you can launch <tt class="docutils literal"><span class="pre">dch</span> <span class="pre">-i</span></tt> manually. Unlike with regular
patches, you should use the following format (note the distribution name uses
precise-security since this is a security update for Precise) for security
updates:</p>
<div class="highlight-python"><div class="highlight"><pre>dbus (1.4.18-2ubuntu1.5) precise-security; urgency=low

  * SECURITY UPDATE: [DESCRIBE VULNERABILITY HERE]
    - debian/patches/99-fix-a-vulnerability.patch: [DESCRIBE CHANGES HERE]
    - [CVE IDENTIFIER]
    - [LINK TO UPSTREAM BUG OR SECURITY NOTICE]
    - LP: #[BUG NUMBER]
...
</pre></div>
</div>
<p>Update your patch to use the appropriate patch tags. Your patch should have at
a minimum the Origin, Description and Bug-Ubuntu tags. For example, edit
debian/patches/99-fix-a-vulnerability.patch to have something like:</p>
<div class="highlight-python"><div class="highlight"><pre>## Description: [DESCRIBE VULNERABILITY HERE]
## Origin/Author: [COMMIT ID, URL OR EMAIL ADDRESS OF AUTHOR]
## Bug: [UPSTREAM BUG URL]
## Bug-Ubuntu: https://launchpad.net/bugs/[BUG NUMBER]
Index: dbus-1.4.18/dbus/dbus-marshal-validate.c
...
</pre></div>
</div>
<p>Multiple vulnerabilities can be fixed in the same security upload; just be sure
to use different patches for different vulnerabilities.</p>
</div>
<div class="section" id="test-and-submit-your-work">
<h3>7.1.5. Test and Submit your work<a class="headerlink" href="#test-and-submit-your-work" title="Permalink to this headline"></a></h3>
<p>At this point the process is the same as for <a class="reference internal" href="fixing-a-bug.html"><em>fixing a regular bug in
Ubuntu</em></a>. Specifically, you will want to:</p>
<blockquote>
<div><ol class="arabic simple">
<li>Build your package and verify that it compiles without error and without
any added compiler warnings</li>
<li>Upgrade to the new version of the package from the previous version</li>
<li>Test that the new package fixes the vulnerability and does not introduce
any regressions</li>
<li>Submit your work via a Launchpad merge proposal and file a Launchpad bug
being sure to mark the bug as a security bug and to subscribe
<tt class="docutils literal"><span class="pre">ubuntu-security-sponsors</span></tt></li>
</ol>
</div></blockquote>
<p>If the security vulnerability is not yet public then do not file a merge
proposal and ensure you mark the bug as private.</p>
<p>The filed bug should include a Test Case, i.e. a comment which clearly shows how
to recreate the bug by running the old version then how to ensure the bug no
longer exists in the new version.</p>
<p>The bug report should also confirm that the issue is fixed in Ubuntu versions
newer than the one with the proposed fix (in the above example newer than
Precise).  If the issue is not fixed in newer Ubuntu versions you should prepare
updates for those versions too.</p>
</div>
</div>
<div class="section" id="stable-release-updates">
<h2>7.2. Stable Release Updates<a class="headerlink" href="#stable-release-updates" title="Permalink to this headline"></a></h2>
<p>We also allow updates to releases where a package has a high impact bug such as
a severe regression from a previous release or a bug which could cause data
loss.  Due to the potential for such updates to themselves introduce bugs we
only allow this where the change can be easily understood and verified.</p>
<p>The process for Stable Release Updates is just the same as the process for
security bugs except you should subscribe <tt class="docutils literal"><span class="pre">ubuntu-sru</span></tt> to the bug.</p>
<p>The update will go into the <tt class="docutils literal"><span class="pre">proposed</span></tt> archive (for example
<tt class="docutils literal"><span class="pre">precise-proposed</span></tt>) where it will need to be checked that it fixes the problem
and does not introduce new problems.  After a week without reported problems it
can be moved to <tt class="docutils literal"><span class="pre">updates</span></tt>.</p>
<p>See the <a class="reference external" href="https://wiki.ubuntu.com/StableReleaseUpdates">Stable Release Updates wiki page</a> for more information.</p>
</div>
</div>


	<div class="divide"></div>

          </div>

  <div id="sidebar" class="grid_3 omega">
    <div class="container-tweet">
        <h3>Table Of Contents</h3>
        <div class="toc">
          <ul>
<li><a class="reference internal" href="#">7. Security and Stable Release Updates</a><ul>
<li><a class="reference internal" href="#fixing-a-security-bug-in-ubuntu">7.1. Fixing a Security Bug in Ubuntu</a><ul>
<li><a class="reference internal" href="#introduction">7.1.1. Introduction</a></li>
<li><a class="reference internal" href="#obtaining-the-source">7.1.2. Obtaining the source</a></li>
<li><a class="reference internal" href="#patching-the-source">7.1.3. Patching the source</a></li>
<li><a class="reference internal" href="#formatting-the-changelog-and-patches">7.1.4. Formatting the changelog and patches</a></li>
<li><a class="reference internal" href="#test-and-submit-your-work">7.1.5. Test and Submit your work</a></li>
</ul>
</li>
<li><a class="reference internal" href="#stable-release-updates">7.2. Stable Release Updates</a></li>
</ul>
</li>
</ul>

        </div>

      <div class="browse-guide">
        <h3>Browse The Guide:</h3>
        <ul>
          <li class="prev">
            <a href="packaging-new-software.html"
                      title="Previous topic: 6. Packaging New Software">Go Previous</a>
          </li>
          
          <li class="center">
            <a title="Back to Index" href="index.html">Index Guide</a>
          </li>
        
          <li class="next">
            <a href="patches-to-packages.html"
                      title="Next topic: 8. Patches to Packages">Go Next</a>
          </li>
        </ul>
        <span>This Page:</span> <a href="./_sources/security-and-stable-release-updates.txt"
               rel="nofollow">Show Source</a>
      </div>
     </div>
     <div id="back_top"><a href="#top">Back to Top</a></div>
    </div>
    <!--</section>-->
  </div>
</div>
<div class="shadow"></div>
<footer>
  <div>
      Version: 0.3.7.
    <a href="https://bugs.launchpad.net/ubuntu-packaging-guide">Report bugs</a> or 
    <a href="https://code.launchpad.net/~ubuntu-packaging-guide-team/ubuntu-packaging-guide/trunk">grab the source code</a> from Launchpad.
      Created using <a href="http://sphinx-doc.org/">Sphinx</a> 1.2.3.
      <br />
        &copy; Copyright 2010-2015, Ubuntu Developers, Creative Commons Attribution-ShareAlike 3.0.
        <a rel="license" href="http://creativecommons.org/licenses/by-sa/3.0/">
        Creative Commons Attribution-ShareAlike 3.0 Unported License</a>.
        <a rel="license" href="http://creativecommons.org/licenses/by-sa/3.0/">
        <img alt="Creative Commons License" style="border-width:0" 
        src="./_static/images/cc-by-sa.png" /></a>
    <br />
    <a href="http://people.ubuntu.com/~mitya57/ubuntu-packaging-guide-readme.html#translating">Help translate</a> or
    <a href="./_static/translators.html">view the list of translators</a>.

  </div>
</footer>
  </body>
</html>

APT Browse - Built by Thomas Orozco.