Gentoo Linux Security

1. Security in Gentoo Linux

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. The Gentoo Linux Security Project is tasked with providing timely information about security vulnerabilities in Gentoo Linux, along with patches to secure those vulnerabilities. We work directly with vendors, end users and other OSS projects to ensure all security incidents are responded to quickly and professionally.

You can find a document describing the policy the security team follows to treat the vulnerabilities found in the Gentoo Linux distribution on the Vulnerability Treatment Policy page.

Installing a secure Gentoo system

The Gentoo Security Handbook gives information and tips for building a secure system and hardening existing systems.

Keeping your Gentoo system secure

To stay up-to-date with the security fixes you should subscribe to receive GLSAs and apply GLSA instructions whenever you have an affected package installed. Alternatively, syncing your portage tree and upgrading every package should also keep you up-to-date security-wise.

Integration of security-only updates in Portage tools is underway. In the mean time, you can try our experimental glsa-check tool (part of the gentoolkit package) to check if a specific GLSA applies to your system (-p option), list all GLSAs with applied/affected/unaffected status (-l option) or apply a given GLSA to your system (-f option).

2. Gentoo Linux Security Announcements (GLSAs)

Gentoo Linux Security Announcements are notifications that we send out to the community to inform them of security vulnerabilities related to Gentoo Linux or the packages contained in our portage repository.

Recent Advisories

GLSA	Severity	Package	Description	Bug
200807-02	Normal	media-video/motion	Motion: Execution of arbitrary code	227053
200807-01	Normal	dev-lang/python	Python: Multiple integer overflows	216673
200806-11	Normal	dev-java/ibm-jdk-bin (and 1 more)	IBM JDK/JRE: Multiple vulnerabilities	186277
200806-10	Normal	media-libs/freetype	FreeType: User-assisted execution of arbitrary code	225851
200806-09	Normal	media-libs/libvorbis	libvorbis: Multiple vulnerabilities	222085
200806-08	Normal	dev-libs/openssl	OpenSSL: Denial of Service	223429
200806-07	High	x11-base/xorg-server	X.Org X server: Multiple vulnerabilities	225419
200806-06	Normal	mail-client/evolution	Evolution: User-assisted execution of arbitrary code	223963
200806-05	Normal	app-misc/cbrpager	cbrPager: User-assisted execution of arbitrary code	223657

For a full list of all published GLSAs, please see our GLSA index page.

How to receive GLSAs

GLSA announcements are sent to the gentoo-announce@gentoo.org mailing-list, and as a RDF feed available at http://www.gentoo.org/rdf/en/glsa-index.rdf.

3. Security Team contact information

Gentoo Linux takes security vulnerability reports very seriously. Please file new vulnerability reports on Gentoo Bugzilla and assign them to the Gentoo Security product and Vulnerabilities component. Click here to directly submit a new security vulnerability. The Gentoo Linux Security Team will ensure all security-related bug reports are responded to in a timely fashion.

If you find errors or omissions in published GLSAs, you should also file a bug in Gentoo Bugzilla in the Gentoo Security product, but with GLSA Errors component. Click here to directly submit a new GLSA bug.

Confidential contacts

You have two options to submit non-public vulnerabilities to the Gentoo Linux Security Team. You may submit a bug in Gentoo Bugzilla using the New-Expert action, or the Enter a new bug report (advanced) link, and check the Gentoo Security checkbox in the Only users in all of the selected groups can view this bug section. You may also contact directly using encrypted mail one of the following security contacts:

Name	Responsability	Email	GPG keyID (click to retrieve public key)
Raphaël Marichez	Operational co-manager	falco@gentoo.org	0x021C5BD2
Matthias Geerdsen	Operational co-manager	vorlon@gentoo.org	0xB16A5183

Note: You can see a full list of Gentoo developers, including their GPG key ID on our list of active developers

4. Resources

Security pages

GLSA index page -- Full list of all published GLSAs
GLSA RDF feed -- GLSA RDF live feed. You can limit the number of GLSAs shown by appending "?num=n" to the URL, where "n" needs to be replaced with the number of entries you want. For example http://www.gentoo.org/rdf/en/glsa-index.rdf?num=20 will list the last 20 GLSAs.
Vulnerability Treatment Policy -- The official policy the Security Team follows
Gentoo Linux Security Project -- The security project page

Links

Gentoo Security Handbook -- Step-by-step guide for hardening Gentoo Linux
Gentoo Hardened Project -- Bringing advanced security to Gentoo Linux
Gentoo Server Project -- Focusing on server-specific issues, such as security and stability
Active Developer List -- Active Developer List including GPG keys which can be used to verify GLSAs

The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.