From patchwork Fri Sep 29 23:06:29 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stephen Hemminger X-Patchwork-Id: 13404862 X-Patchwork-Delegate: dsahern@gmail.com Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net [23.128.96.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7F1AA47369 for ; Fri, 29 Sep 2023 23:06:47 +0000 (UTC) Received: from mail-pj1-x1031.google.com (mail-pj1-x1031.google.com [IPv6:2607:f8b0:4864:20::1031]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1B7FFDD for ; Fri, 29 Sep 2023 16:06:43 -0700 (PDT) Received: by mail-pj1-x1031.google.com with SMTP id 98e67ed59e1d1-278eaffd81dso5321815a91.0 for ; Fri, 29 Sep 2023 16:06:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=networkplumber-org.20230601.gappssmtp.com; s=20230601; t=1696028802; x=1696633602; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=B9vBj/XqXdCg6y/PwdE6HuNug0gddzTjmPZv3RLwNYM=; b=pqLfabI9j1l4W1u/Ihse2TBCqHtdIox3lSEzDUTFrG8POR3nguEAltM9utHv2uExH0 dFBcvJlmEXsV0SBApVbLoUdNQZ/jG+knnuH6mQuFHW4dB/eGIb1x3m5XkIeflOUvFz18 07zLvviUlj9k8cxTRyStH0Q3VcQj1sSdU+in/MM8MvMxM21i15wv2aw0OHPo0LOiwGx1 q05Wj8Wz0/6RtLHnufyzw16z4OKlhA9jHY7KBeVnQ4YZGoSB3wwMkOrUy//amOGiMgzs /2TWu2FdUaHZ+Nr3v0oRT7pAnULAOxxKAqWjUc5vbzeYM7EBzXahnX+E4hI0dFqVc/b0 IqcQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696028802; x=1696633602; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=B9vBj/XqXdCg6y/PwdE6HuNug0gddzTjmPZv3RLwNYM=; b=KSYNLxnnPi82OGnGaJzrcoICHeB+zkWt6R8txvsnByP/NaM+5cT1w+Mauzc4fGwOW9 2yu9GC7INBisrSRSf4QAbFfIJ5u5Q10/D4dClxPAbyqxEyTsW0SFceGFD66RS5Kn+DSL ucZ6Q0N8333DpH60CvsnzbNYbY9EQv3krNhriuJhvVnmtqKA/syROQrgXkb18SWSQt7i ABouvq/37uyjuGsWBrhAPGoGqYaWJgVBUk0HPoekXjNTynMm5ddABCYKeicX2k4zVqlI ItS0QoK1SOxal41NLsEztv/JPqazJdFBedIVr4MWvULAe3COwqAILchN3ga09uV0SmKj YfDg== X-Gm-Message-State: AOJu0YwM/5q4WxE8LS+LJTQsQ8umrmDs+aJQjjStb+gwUaq0JfQxJu7L oep05+9muMHSDD4xiLe7Z77H45Q1kESvuZTnjC0= X-Google-Smtp-Source: AGHT+IH5A/RQliYtL/kVU34g5f+iClP+p4egfRuy2AdoqKQlj44nWQfcHyUYlcdxmjWtc90buXCIJw== X-Received: by 2002:a17:90a:d515:b0:276:c6b8:eaae with SMTP id t21-20020a17090ad51500b00276c6b8eaaemr5236936pju.7.1696028802116; Fri, 29 Sep 2023 16:06:42 -0700 (PDT) Received: from hermes.local (204-195-126-68.wavecable.com. [204.195.126.68]) by smtp.gmail.com with ESMTPSA id a8-20020a17090a740800b002636e5c224asm1977803pjg.56.2023.09.29.16.06.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 Sep 2023 16:06:41 -0700 (PDT) From: Stephen Hemminger To: netdev@vger.kernel.org Cc: Stephen Hemminger Subject: [PATCH iproute2] Add a security policy Date: Fri, 29 Sep 2023 16:06:29 -0700 Message-Id: <20230929230629.66868-1-stephen@networkplumber.org> X-Mailer: git-send-email 2.39.2 Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net X-Patchwork-Delegate: dsahern@gmail.com Iproute2 security policy is minimal since the security domain is controlled by the kernel. But it should be documented before some new security related bug arises at some future time. Signed-off-by: Stephen Hemminger --- SECURITY.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 000000000000..d5a7775fc147 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,21 @@ +# Security Policy + +## Reporting a vulnerability + +The iproute2 suite of utilities is tightly coupled with the Linux +kernel networking. Therefore the bug reporting process mirrors +the Linux kernel. Most security problems reported related to +iproute2 are really Linux kernel issues (a.k.a Shoot the messenger) +and are best handled via +[Linux Security Bugs](https://docs.kernel.org/process/security-bugs.html). + +For other issues please report bugs to netdev@vger.kernel.org +and include an example script. + +## Supported Versions + +There are no official "Long Term Support" versions for iproute2. +The iproute2 version matches the Linux kernel versions. +There will be occasional maintenance releases for serious +issues if found. Users who need support are encouraged +to use the version of iproute2 found in major distributions.