clarification needed: ALC_FLR.3.6C



Hi!

ALC_FLR.3.6C says:
	The procedures for processing reported security flaws
	shall ensure that any reported flaws are corrected and the
	correction issued to TOE users.

The scope of the requirement is not adequately defined. Questions
that arise:
-which version of the TOE?
	-what about archaic versions?
	-what about development versions?
-what about non-TOE related issues?
	-incidences in the development environment
	-issues of the toolchain used
	-issues with software/hardware commonly used together
	with the TOE, specifically "the underlying abstract machine".

The Debian GNU/Linux project does have flaw remediation procedures,
which ensure that all reported security flaws _for the released
version of Debian GNU/Linux_ are corrected, and an advisory is
issued. However the flaw remediation documentation expressly
discloses the development versions, and software related to the
TOE (contrib and non-free), which are not considered to be
part of it.
More info:
http://www.debian.org/security/faq

I judge that the project does fulfill the requirement.

What is your interpretation?

-- 
GNU GPL: csak tiszta forrásból






Date Index | Thread Index | Problems or questions? Contact list-master@nist.gov