Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet Security.ca and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet Security.ca today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

The Xen Project security team has a message for system admins

Sponsered ads:
Read the latest IT news. Visit ItDirection.net. Updated several times daily.

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

February 16, 2017

We learned today that the Xen Project security team has a brief message for system administrators out there: 'we are asking if we can disclose fewer bugs'.

“Issuing security advisories has some implied costs,” the project's George Dunlap writes.

“It costs the security team significant amounts of time to craft and send the advisories; it costs many of our downstreams time to apply, build, and test patches; and it costs many of our users time to decide whether to do an update, and if so, to test and deploy it in the manner it was meant to be,” he asserted.

“Given this, the Xen Project Security Team wants to clarify when they should issue an advisory or not: our response process simply mentions 'security vulnerabilities', without specifying what constitutes a vulnerability,” he added.

Dunlap's suggestions go on to ask the Xen community to consider two changes to the Xen Security Policy, namely the insertion of the following new clause:

Criteria 2c: Leaking of mundane information from Xen or dom0 will not be considered a security issue unless it may contain sensitive guest or user data.

Dunlap also wants Criteria 4, which deals with vulnerability disclosure, to add the following: If no operating systems are vulnerable to a bug, no advisory will be issued.

There's a thread on xen-devel to debate the changes. At the time of writing there's only a handful of posts, from just three people including Dunlap.

Dunlap also suggests that some security flaws need not be classified as vulnerabilities per se, but offering the following classifications as worthy of the name vulnerability:

1a. The source is the guest userspace, guest kernel, or QEMU stubdomain, and the target is the hypervisor, dom0 and toolstack.

1b. The source is the guest userspace, guest kernel, or QEMU stubdomain, and the target is another guest.

1c. The source is guest userspace, and the target is the guest kernel, or other guest userspace processes.

Privilege escalation, denial of service or information leakage will mostly be considered vulnerabilities, but not if the target is an unprivileged guest.

Dunlap also suggests the security vulnerabilities in experimental versions of Xen not be notifiable and wants the same treatment when there's no “known combination of software in which the vulnerability can be exploited.”

Xen has had lots of security vulnerabilities lately, among them a purely hypothetical bug. The Xen Project has also struggled greatly in order to keep up with its own patching processes.

Source: The Xen Project.

Sponsered ads:
Read the latest IT news. Visit ItDirection.net. Updated several times daily.

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.


Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
Copyright © Internet Security.ca    Terms of use    Privacy agreement    Legal disclaimer