/usr/share/doc/ubuntu-packaging-guide-html/security-and-stable-release-updates.html is in ubuntu-packaging-guide-html 0.3.7.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 | <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>7. Security and Stable Release Updates — Ubuntu Packaging Guide</title>
<link rel="shortcut icon" href="./_static/images/favicon.ico" type="image/x-icon" />
<link rel="stylesheet" href="./_static/reset.css" type="text/css" />
<link rel="stylesheet" href="./_static/960.css" type="text/css" />
<link rel="stylesheet" href="./_static/base.css" type="text/css" />
<link rel="stylesheet" href="./_static/home.css" type="text/css" />
<link rel="stylesheet" href="./_static/pygments.css" type="text/css" />
<link rel="stylesheet" href="./_static/guide.css" type="text/css" />
<script type="text/javascript">
var DOCUMENTATION_OPTIONS = {
URL_ROOT: '../',
VERSION: '0.3.7',
COLLAPSE_INDEX: false,
FILE_SUFFIX: '.html',
HAS_SOURCE: true
};
</script>
<script type="text/javascript" src="./_static/jquery.js"></script>
<script type="text/javascript" src="./_static/underscore.js"></script>
<script type="text/javascript" src="./_static/doctools.js"></script>
<script type="text/javascript" src="./_static/main.js"></script>
<link rel="top" title="Ubuntu Packaging Guide" href="./index.html" />
<link rel="next" title="8. Patches to Packages" href="patches-to-packages.html" />
<link rel="prev" title="6. Packaging New Software" href="packaging-new-software.html" />
</head>
<body class="home">
<a name="top"></a>
<div class="header-navigation">
<div>
<nav role="navigation">
<ul>
<li class="page_item current_page_item"><a title="Contents" href="index.html">Contents</a>
<li>
<form id="form-search" method="get" action="search.html">
<fieldset>
<input id="input-search" type="text" name="q" value="Search" />
</fieldset>
</form>
</li>
</ul>
</nav>
<a class="logo-ubuntu" href="http://packaging.ubuntu.com/">
<img src="./_static/images/logo-ubuntu.png" width="119" height="27" alt="Ubuntu logo" />
</a>
<a href="http://packaging.ubuntu.com/"><h2>Packaging Guide</h2></a>
</div>
</div>
<div class="header-content">
<div class="clearfix">
<div class="header-navigation-secondary">
<div>
<nav role="navigation">
<ul class="clearfix">
<li class="page_item"><a style="margin-right: 10px"
href="patches-to-packages.html" title="8. Patches to Packages"
accesskey="N">next</a></li>
<li class="page_item"><a
href="packaging-new-software.html" title="6. Packaging New Software"
accesskey="P">previous</a></li>
<li class="page_item"><a class="sub-nav-item" href="index.html">Ubuntu Packaging Guide »</a></li>
</ul>
</nav>
</div>
</div>
</div>
</div>
<div id="content" class="body container_12">
<div class="grid_12">
<!--<section id="main-section">-->
<div class="grid_9 alpha">
<div class="section" id="security-and-stable-release-updates">
<h1>7. Security and Stable Release Updates<a class="headerlink" href="#security-and-stable-release-updates" title="Permalink to this headline">¶</a></h1>
<div class="section" id="fixing-a-security-bug-in-ubuntu">
<h2>7.1. Fixing a Security Bug in Ubuntu<a class="headerlink" href="#fixing-a-security-bug-in-ubuntu" title="Permalink to this headline">¶</a></h2>
<div class="section" id="introduction">
<h3>7.1.1. Introduction<a class="headerlink" href="#introduction" title="Permalink to this headline">¶</a></h3>
<p>Fixing security bugs in Ubuntu is not really any different than <a class="reference internal" href="fixing-a-bug.html"><em>fixing a
regular bug in Ubuntu</em></a>, and it is assumed that you are familiar
with patching normal bugs. To demonstrate where things are different, we will
be updating the dbus package in Ubuntu 12.04 LTS (Precise Pangolin) for a security
update.</p>
</div>
<div class="section" id="obtaining-the-source">
<h3>7.1.2. Obtaining the source<a class="headerlink" href="#obtaining-the-source" title="Permalink to this headline">¶</a></h3>
<p>In this example, we already know we want to fix the dbus package in Ubuntu
12.04 LTS (Precise Pangolin). So first you need to determine the version of the
package you want to download. We can use the <tt class="docutils literal"><span class="pre">rmadison</span></tt> to help with this:</p>
<div class="highlight-python"><div class="highlight"><pre>$ rmadison dbus | grep precise
dbus | 1.4.18-1ubuntu1 | precise | source, amd64, armel, armhf, i386, powerpc
dbus | 1.4.18-1ubuntu1.4 | precise-security | source, amd64, armel, armhf, i386, powerpc
dbus | 1.4.18-1ubuntu1.4 | precise-updates | source, amd64, armel, armhf, i386, powerpc
</pre></div>
</div>
<p>Typically you will want to choose the highest version for the release you want
to patch that is not in -proposed or -backports. Since we are updating Precise’s
dbus, you’ll download 1.4.18-1ubuntu1.4 from precise-updates:</p>
<div class="highlight-python"><div class="highlight"><pre>$ bzr branch ubuntu:precise-updates/dbus
</pre></div>
</div>
</div>
<div class="section" id="patching-the-source">
<h3>7.1.3. Patching the source<a class="headerlink" href="#patching-the-source" title="Permalink to this headline">¶</a></h3>
<p>Now that we have the source package, we need to patch it to fix the
vulnerability. You may use whatever patch method that is appropriate for the
package, including <a class="reference internal" href="udd-intro.html"><em>UDD techniques</em></a>, but this example will
use <tt class="docutils literal"><span class="pre">edit-patch</span></tt> (from the ubuntu-dev-tools package). <tt class="docutils literal"><span class="pre">edit-patch</span></tt> is the
easiest way to patch packages and it is basically a wrapper around every other
patch system you can imagine.</p>
<p>To create your patch using <tt class="docutils literal"><span class="pre">edit-patch</span></tt>:</p>
<div class="highlight-python"><div class="highlight"><pre>$ cd dbus
$ edit-patch 99-fix-a-vulnerability
</pre></div>
</div>
<p>This will apply the existing patches and put the packaging in a temporary
directory. Now edit the files needed to fix the vulnerability. Often upstream
will have provided a patch so you can apply that patch:</p>
<div class="highlight-python"><div class="highlight"><pre>$ patch -p1 < /home/user/dbus-vulnerability.diff
</pre></div>
</div>
<p>After making the necessary changes, you just hit Ctrl-D or type exit to
leave the temporary shell.</p>
</div>
<div class="section" id="formatting-the-changelog-and-patches">
<h3>7.1.4. Formatting the changelog and patches<a class="headerlink" href="#formatting-the-changelog-and-patches" title="Permalink to this headline">¶</a></h3>
<p>After applying your patches you will want to update the changelog. The <tt class="docutils literal"><span class="pre">dch</span></tt>
command is used to edit the <tt class="docutils literal"><span class="pre">debian/changelog</span></tt> file and <tt class="docutils literal"><span class="pre">edit-patch</span></tt> will
launch <tt class="docutils literal"><span class="pre">dch</span></tt> automatically after un-applying all the patches. If you are not
using <tt class="docutils literal"><span class="pre">edit-patch</span></tt>, you can launch <tt class="docutils literal"><span class="pre">dch</span> <span class="pre">-i</span></tt> manually. Unlike with regular
patches, you should use the following format (note the distribution name uses
precise-security since this is a security update for Precise) for security
updates:</p>
<div class="highlight-python"><div class="highlight"><pre>dbus (1.4.18-2ubuntu1.5) precise-security; urgency=low
* SECURITY UPDATE: [DESCRIBE VULNERABILITY HERE]
- debian/patches/99-fix-a-vulnerability.patch: [DESCRIBE CHANGES HERE]
- [CVE IDENTIFIER]
- [LINK TO UPSTREAM BUG OR SECURITY NOTICE]
- LP: #[BUG NUMBER]
...
</pre></div>
</div>
<p>Update your patch to use the appropriate patch tags. Your patch should have at
a minimum the Origin, Description and Bug-Ubuntu tags. For example, edit
debian/patches/99-fix-a-vulnerability.patch to have something like:</p>
<div class="highlight-python"><div class="highlight"><pre>## Description: [DESCRIBE VULNERABILITY HERE]
## Origin/Author: [COMMIT ID, URL OR EMAIL ADDRESS OF AUTHOR]
## Bug: [UPSTREAM BUG URL]
## Bug-Ubuntu: https://launchpad.net/bugs/[BUG NUMBER]
Index: dbus-1.4.18/dbus/dbus-marshal-validate.c
...
</pre></div>
</div>
<p>Multiple vulnerabilities can be fixed in the same security upload; just be sure
to use different patches for different vulnerabilities.</p>
</div>
<div class="section" id="test-and-submit-your-work">
<h3>7.1.5. Test and Submit your work<a class="headerlink" href="#test-and-submit-your-work" title="Permalink to this headline">¶</a></h3>
<p>At this point the process is the same as for <a class="reference internal" href="fixing-a-bug.html"><em>fixing a regular bug in
Ubuntu</em></a>. Specifically, you will want to:</p>
<blockquote>
<div><ol class="arabic simple">
<li>Build your package and verify that it compiles without error and without
any added compiler warnings</li>
<li>Upgrade to the new version of the package from the previous version</li>
<li>Test that the new package fixes the vulnerability and does not introduce
any regressions</li>
<li>Submit your work via a Launchpad merge proposal and file a Launchpad bug
being sure to mark the bug as a security bug and to subscribe
<tt class="docutils literal"><span class="pre">ubuntu-security-sponsors</span></tt></li>
</ol>
</div></blockquote>
<p>If the security vulnerability is not yet public then do not file a merge
proposal and ensure you mark the bug as private.</p>
<p>The filed bug should include a Test Case, i.e. a comment which clearly shows how
to recreate the bug by running the old version then how to ensure the bug no
longer exists in the new version.</p>
<p>The bug report should also confirm that the issue is fixed in Ubuntu versions
newer than the one with the proposed fix (in the above example newer than
Precise). If the issue is not fixed in newer Ubuntu versions you should prepare
updates for those versions too.</p>
</div>
</div>
<div class="section" id="stable-release-updates">
<h2>7.2. Stable Release Updates<a class="headerlink" href="#stable-release-updates" title="Permalink to this headline">¶</a></h2>
<p>We also allow updates to releases where a package has a high impact bug such as
a severe regression from a previous release or a bug which could cause data
loss. Due to the potential for such updates to themselves introduce bugs we
only allow this where the change can be easily understood and verified.</p>
<p>The process for Stable Release Updates is just the same as the process for
security bugs except you should subscribe <tt class="docutils literal"><span class="pre">ubuntu-sru</span></tt> to the bug.</p>
<p>The update will go into the <tt class="docutils literal"><span class="pre">proposed</span></tt> archive (for example
<tt class="docutils literal"><span class="pre">precise-proposed</span></tt>) where it will need to be checked that it fixes the problem
and does not introduce new problems. After a week without reported problems it
can be moved to <tt class="docutils literal"><span class="pre">updates</span></tt>.</p>
<p>See the <a class="reference external" href="https://wiki.ubuntu.com/StableReleaseUpdates">Stable Release Updates wiki page</a> for more information.</p>
</div>
</div>
<div class="divide"></div>
</div>
<div id="sidebar" class="grid_3 omega">
<div class="container-tweet">
<h3>Table Of Contents</h3>
<div class="toc">
<ul>
<li><a class="reference internal" href="#">7. Security and Stable Release Updates</a><ul>
<li><a class="reference internal" href="#fixing-a-security-bug-in-ubuntu">7.1. Fixing a Security Bug in Ubuntu</a><ul>
<li><a class="reference internal" href="#introduction">7.1.1. Introduction</a></li>
<li><a class="reference internal" href="#obtaining-the-source">7.1.2. Obtaining the source</a></li>
<li><a class="reference internal" href="#patching-the-source">7.1.3. Patching the source</a></li>
<li><a class="reference internal" href="#formatting-the-changelog-and-patches">7.1.4. Formatting the changelog and patches</a></li>
<li><a class="reference internal" href="#test-and-submit-your-work">7.1.5. Test and Submit your work</a></li>
</ul>
</li>
<li><a class="reference internal" href="#stable-release-updates">7.2. Stable Release Updates</a></li>
</ul>
</li>
</ul>
</div>
<div class="browse-guide">
<h3>Browse The Guide:</h3>
<ul>
<li class="prev">
<a href="packaging-new-software.html"
title="Previous topic: 6. Packaging New Software">Go Previous</a>
</li>
<li class="center">
<a title="Back to Index" href="index.html">Index Guide</a>
</li>
<li class="next">
<a href="patches-to-packages.html"
title="Next topic: 8. Patches to Packages">Go Next</a>
</li>
</ul>
<span>This Page:</span> <a href="./_sources/security-and-stable-release-updates.txt"
rel="nofollow">Show Source</a>
</div>
</div>
<div id="back_top"><a href="#top">Back to Top</a></div>
</div>
<!--</section>-->
</div>
</div>
<div class="shadow"></div>
<footer>
<div>
Version: 0.3.7.
<a href="https://bugs.launchpad.net/ubuntu-packaging-guide">Report bugs</a> or
<a href="https://code.launchpad.net/~ubuntu-packaging-guide-team/ubuntu-packaging-guide/trunk">grab the source code</a> from Launchpad.
Created using <a href="http://sphinx-doc.org/">Sphinx</a> 1.2.3.
<br />
© Copyright 2010-2015, Ubuntu Developers, Creative Commons Attribution-ShareAlike 3.0.
<a rel="license" href="http://creativecommons.org/licenses/by-sa/3.0/">
Creative Commons Attribution-ShareAlike 3.0 Unported License</a>.
<a rel="license" href="http://creativecommons.org/licenses/by-sa/3.0/">
<img alt="Creative Commons License" style="border-width:0"
src="./_static/images/cc-by-sa.png" /></a>
<br />
<a href="http://people.ubuntu.com/~mitya57/ubuntu-packaging-guide-readme.html#translating">Help translate</a> or
<a href="./_static/translators.html">view the list of translators</a>.
</div>
</footer>
</body>
</html>
|