[ovs-dev] [PATCH RFC] SECURITY: New document describing proposed security process for OVS.
Ben Pfaff
blp at nicira.com
Fri Jan 2 23:01:56 UTC 2015
On Fri, Jan 02, 2015 at 11:53:26PM +0100, Thomas Graf wrote:
> On 01/02/15 at 01:44pm, Ben Pfaff wrote:
> > Open vSwitch needs some kind of process for handling vulnerabilities. So
> > far, we've been pretty lucky that way, but it can't last forever, and I
> > think we'll be better off if we have at least the outline of an established
> > process whenever a significant vulnerability comes along. Here's my draft
> > of a process based on the documentation of the OpenStack process at
> > https://wiki.openstack.org/wiki/Vulnerability_Management.
> >
> > I don't have a lot of experience with this kind of thing myself, so I'd
> > appreciate critical review from anyone who does.
> >
> > Signed-off-by: Ben Pfaff <blp at nicira.com>
>
> Looks great. Do we want to include a couple of examples of what
> would classify as a vulnerability?
Sure. Some that come randomly to mind:
* A crafted packet that causes a kernel or userspace crash.
* A flow translation bug that misforwards traffic in a way
likely to hop over security boundaries.
* An OpenFlow protocol bug that allows a controller to read
arbitrary files from the file system.
* Misuse of the OpenSSL library that allows bypassing
certificate checks.
Any to add?
More information about the dev
mailing list