Security reporting

I'm wondering how to report security related issues privately.
It would be nice to have a way to report security vulnerabilities privately to the authorized body and annouce security flaws publicly not before there is a fixed version available.

This leads to my second question.

Where can I receive security reports and recommendations about available fixed versions?

Ideally such reports contain ratings about how severely the impact of the security vulnerability is rated (like CVE).

John

LEDE is mostly plain Linux and third-party packages, so most of the security weaknesses should be reported directly to Linux kernel developers, or if a package-specific thing, then to the respective upstream package developers. It makes no sense to track here the possible weaknesses in Linux or in the 1000+ packages that can be built for LEDE.

LEDE home page gives this for confidential emails:
https://lede-project.org/contact

Please direct general inquiries to lede-contact@lede-project.org to open a confidential discussion with the project developers.

Alternatively, you could contact some of the core LEDE developers.

1 Like

Valid question and I personally think @hnyman excellent reply could be a good starting point to a formal documentation page explaining the how/why and action taken after something is discovered.

I do a lot of work in Drupal and we have about 37 000 modules that extend Drupal core that is not a part of drupal. This is entry page for security issues reported to core and 3-part modules, https://www.drupal.org/security-team. Might spawn ideas to how to handle security issues and how the disclosure policy should be.

For a user of LEDE, especially if he is not directly involved in package maintaining or software developing, it is almost impossible to keep track of security warnings scattered in countless different places for every package installed.

Additionally not all security warnings of those places describe vulnerabilities that affect the package used in LEDE.

Therefore it is very likely users are unaware of critical vulnerabilities and do not take appropriate measurements.

Thus I thought it would be great to have a centralized place where security stuff is gathered and everyone can easily be informed about security vulnerabilities and available fixes specific to LEDE.

@hnyman gave you the great answer. If you're not happy about current state of affairs, you can:

  1. Proactively monitor CVEs and if the package you have installed on your LEDE router is mentioned there you can come back to the forum and ask for LEDE-specific information.
  2. Start that "centralized place where security stuff is gathered" yourself. LEDE Project was created and is maintained by volunteers, so if you want to monitor the state of security of 1000+ upstream packages and keep others informed, no one is going to stop you.

Will the WPA2 issue be added to the next release?

How about reading the thread about that problem?

It has already been fixed in master and 17.01 sources. And probably 17.01.4 will be released soon.

1 Like

That helped... Thanks!