OSS-Security

about

The Open Source Security (oss-security) wiki and mailing list are a product of co-operation amongst various open source software vendors, projects, and researchers. The purpose of the oss-security group is to encourage public discussion of security flaws, concepts, and practices in the Open Source community.

code-reviews

This page will hopefully soon consist of many code review reports with proper description of project/version/architecture/possible flaws and security relevant patches. As a start, I will add some packages which are common across a lot of Linux distributions and have been identified as a potential risk since they either run privileged or with network input. Feel free to add other OS's or move to another, separate, page. The intention is NOT to enumerate all possibly problematic packages such as …

disclosure

Flaw Disclosure Anytime an individual discovers a security flaw, there are certain steps that should be taken to ensure that the details of the flaw are disclosed in a responsible and acceptable manner. Reporting a flaw in open source software poses a number of unique challenges compared to the closed source counterparts.

distro-patches

This page lists how to find and extract patches from various open source-providing vendors, such as distributors of Linux, *BSD, and other related operating systems. See the general Vendor information page for details on where to find security announcements.

infrastructure

This page lists security contacts, status links, etc. for various open source-providing infrastructure folks. When adding to this page, please include the following vendor information: * email address for the security contact * link to FAQ * link to network/service status information (i.e. scheduled down-times) * link to issue tracker (i.e. Bugzilla)

links

Here is a list of other websites with OSS-security-related information (be it articles, tutorials, general information, etc.) Vulnerability databases and security advisory archives * - MITRE's CVE (Common Vulnerabilities and Exposures) dictionary * - NIST's NVD (National Vulnerability Database) * - OSVDB (The Open Source Vulnerability Database) * - LinuxSecurity.com adv…

mailing-lists

This page provides links to a number of security-related mailing list resources. Public Lists * : The open source software security mailing list (oss-security), which is a counter-part to this wiki. This is a public mailing list for anyone to subscribe to. Non-members may post to the list, however their messages will be moderated before release. This list is an open list for open source software authors and vendors to discuss public security issues. * o…

mailinglists

This page has moved.

software

This is a list of various open source software projects with links to security contacts for the project. Please only list those projects that do have a security contact to list! The contact may be an email address or a web page with more information.

tools

This page will give you some hints about which tools might be used to gather useful information during a code review such as debuggers, static and dynamic code analysis tools etc. cscope With the help of cscope, reviewers can comfortable search for symbols in the source code of programs. It allows to search for definitions/declarations and calls of certain functions, macro definitions etc.. Most Linux and BSD distributions ship cscope.

vendors

This page lists security contacts, bug tracker links, links to advisories, etc. for various open source-providing vendors, such as distributors of Linux, *BSD, and other related operating systems. When adding to this page, please include the following vendor information:

welcome

Welcome to the Open Source Software Security Wiki. This wiki provides information on a variety of open source security resources and “best practices” information. It is also the counterpart to the oss-security mailing list. Please note that registration on this wiki is distinct from mailing list subscription; you're not automatically subscribed when you register on the wiki.

whattodo

This page is designed to teach folks who may not be familiar with security what the generally accepted procedures are, and why they exist. When a user or security researcher submits a bug to a maintainer of an open-source project, there are a number of factors that determine the proper course of action. The most basic is who is known to consume the software. If all your users obtain the code directly from your site, do not modify it, and are not known to redistribute it, it is probably OK to …