aboutsummaryrefslogtreecommitdiff
blob: 753d22772d60abdac269afa00219452163a77861 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
---
title: 'Gentoo security'
navtitle: 'Security'
nav1: support
nav2: security
nav3: security-index
nav2-show: true
nav3-show: true
nav3-weight: 1
body_class: nav-align-h2

layout: page-nav3
---

<h2>Security in Gentoo Linux</h2>

<p>
  Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us.
  The <a href="https://wiki.gentoo.org/wiki/Project:Security">Security Project</a>
  is tasked with providing timely information about security vulnerabilities in Gentoo Linux, along with patches to secure those vulnerabilities.
  We work directly with vendors, end users and other OSS projects to ensure all security incidents are responded to quickly and professionally.
</p>

<p>
  You can find a document describing the policy the security team follows to treat the vulnerabilities found in the
  Gentoo Linux distribution on the <a href="vulnerability-treatment-policy.html">Vulnerability Treatment Policy</a> page.
</p>

<h3>Installing a secure Gentoo system</h3>
<p>
  The <a href="https://wiki.gentoo.org/wiki/Security_Handbook">Gentoo Security Handbook</a> gives information and tips
  for building a secure system and hardening existing systems.
</p>

<h3>Keeping Gentoo secure</h3>
<p>
  To stay up-to-date with the security fixes you should subscribe to receive GLSAs and apply GLSA instructions whenever you have an affected package installed.
  Alternatively, syncing your portage tree and upgrading every package should also keep you up-to-date security-wise.
</p>
<p>
  You can use <kbd>glsa-check</kbd> tool (part of the <tt>gentoolkit</tt> package) to:
</p>
<ul>
  <li>Check if a specific GLSA applies to your system (<kbd>-p</kbd> option)</li>
  <li>List all GLSAs with applied/affected/unaffected status (<kbd>-l</kbd> option)</li>
  <li>Apply a given GLSA to your system (<kbd>-f</kbd> option).</li>
</ul>

<h2>Gentoo Linux Security Announcements (GLSAs)</h2>

<p>
  Gentoo Linux Security Announcements are notifications that we send out to the community to inform them of security vulnerabilities related to Gentoo Linux or the packages contained in our portage repository.
</p>

<h3>Recent advisories</h3>

{% include frontpage/glsa %}

<p>
 For a full list of all published GLSAs, please see our <a href="https://security.gentoo.org/glsa/">GLSA index page</a>.
</p>

<h3>How to receive GLSAs</h3>
<p>
  GLSA announcements are sent to the <a href="/get-involved/mailing-lists/">gentoo-announce@gentoo.org mailing-list</a>, and are published via <a href="https://security.gentoo.org/subscribe">RSS and Atom feeds</a>.
</p>

<h3 id="contact">Security team contact information</h3>
<p>
  Gentoo Linux takes security vulnerability reports very seriously.
  Please file new vulnerability reports on <a href="https://bugs.gentoo.org">Gentoo Bugzilla</a>
  and assign them to the <span class="emphasis">Gentoo Security</span> product and <span class="emphasis">Vulnerabilities</span> component.
  The Gentoo Linux Security Team will ensure all security-related bug reports are responded to in a timely fashion.
</p>

<p>
  If you find errors or omissions in published GLSAs, you should also file a bug in <a href="https://bugs.gentoo.org">Gentoo Bugzilla</a> in the <em>Gentoo Security</em> product, but with <em>GLSA Errors</em> component.
</p>

<p>
  <a href="https://bugs.gentoo.org/enter_bug.cgi?product=Gentoo%20Security&amp;component=Vulnerabilities" class="btn btn-primary btn-sm"><span class="fa fa-fw fa-bug"></span> Report security vulnerability</a>
  <a href="https://bugs.gentoo.org/enter_bug.cgi?product=Gentoo%20Security&amp;component=GLSA%20Errors" class="btn btn-primary btn-sm"><span class="fa fa-fw fa-bug"></span> Report GLSA error</a>
</p>

<h3 id="confidential-contacts">Confidential contacts</h3>
<p>
  You have two options to submit non-public vulnerabilities to the security team.
  You may submit a bug in <a href="https://bugs.gentoo.org/">Gentoo Bugzilla</a> using the <em>New-Expert</em> action, or the <em>Enter a new bug report (advanced)</em> link,
  and check the <em>Gentoo Security</em> checkbox in the <em>Only users in all of the selected groups can view this bug</em> section.
  You may also contact directly using encrypted mail one of the following security contacts:
</p>
<table class="table">
<tr>
  <td class="infohead"><b>Name</b></td>
  <td class="infohead"><b>Responsibility</b></td>
  <td class="infohead"><b>Email</b></td>
  <td class="infohead"><b>OpenPGP key ID (click to retrieve public key)</b></td>
</tr>
<tr>
  <td class="tableinfo">Thomas Deutschmann</td>
  <td class="tableinfo">Security lead</td>
  <td class="tableinfo"><a href="mailto:whissi@gentoo.org">whissi@gentoo.org</a></td>
  <td class="tableinfo"><a href="https://sks-keyservers.net/pks/lookup?op=get&search=0x58497EE51D5D74A5">0x58497EE51D5D74A5</a></td>
</tr>
<tr>
  <td class="tableinfo">Kristian Fiskerstrand</td>
  <td class="tableinfo">Security lead</td>
  <td class="tableinfo"><a href="mailto:k_f@gentoo.org">k_f@gentoo.org</a></td>
  <td class="tableinfo"><a href="https://sks-keyservers.net/pks/lookup?op=get&search=0x94CBAFDD30345109561835AA0B7F8B60E3EDFAE3">0x0B7F8B60E3EDFAE3</a></td>
</tr>
<tr>
  <td class="tableinfo">Jason A. Donenfeld</td>
  <td class="tableinfo">Security auditing lead</td>
  <td class="tableinfo"><a href="mailto:zx2c4@gentoo.org">zx2c4@gentoo.org</a></td>
  <td class="tableinfo"><a href="https://sks-keyservers.net/pks/lookup?op=get&search=0xA28BEDE08F1744E16037514806C4536755758000">0x49FC7012A5DE03AE</a></td>
</tr>
</table>

<div class="alert alert-info">
  <strong>Note:</strong>
  In order to ensure the reception and fastest possible response for any confidential situation, we encourage senders to email to at least two from the three security contacts.
</div>

<div class="alert alert-info">
  <strong>Note:</strong>
  You can see a full list of Gentoo developers, including their OpenPGP key ID on our <a href="/inside-gentoo/developers/">list of active developers</a>.
</div>

<h2>Resources</h2>

<h3>Security pages</h3>
<ul>
  <li><a href="https://security.gentoo.org/glsa/">GLSA index page</a> — Full list of all published GLSAs.</li>
  <li><a href="https://security.gentoo.org/glsa/feed.rss">GLSA RSS feed</a> — GLSA RSS live feed.</li>
  <li><a href="vulnerability-treatment-policy.html">Vulnerability Treatment Policy</a> — The official policy of the security team.</li>
  <li><a href="https://wiki.gentoo.org/wiki/Project:Security">Gentoo Linux Security Project</a> — The security project page.</li>
</ul>

<h3>Links</h3>
<ul>
  <li><a href="https://wiki.gentoo.org/wiki/Security_Handbook">Gentoo Security Handbook</a> — Step-by-step guide for hardening Gentoo Linux.</li>
  <li><a href="https://wiki.gentoo.org/wiki/Project:Hardened">Gentoo Hardened Project</a> — Bringing advanced security to Gentoo Linux.</li>
  <li><a href="/inside-gentoo/developers/">Active Developer List</a> — Active developer list including OpenPGP keys which can be used to verify GLSAs.</li>
</ul>