You are here: Development Web>WebTopicCreator?>SecurityAlertProcess (05 Oct 2009)

Foswiki Security Alert Process (汉化中……)

I discovered a security issue. Now What?

  • ALERT! Important: In case you think that you discovered a security issue that could potentially compromise Foswiki installations, please send an e-mail to the SecurityTaskTeam? via the foswiki-security mailing list at mailto:foswiki-security@lists.sourceforge.net. We will follow up in a timely manner with a fix and will inform administrators before the issue gets public.

How can I get notified of security issues?

  • Please subscribe to the foswiki-announce mailing list to get updates on new Foswiki releases and Foswiki vulnerabilities in a timely manner. See MailingLists for information about Foswiki mailing lists and how to subscribe to them.

Security Alert Process

The Foswiki community is trying its best to provide a hotfix and to send SecurityAlerts? to Foswiki site administrators in a timely manner.

  • Someone sends an e-mail to the SecurityTaskTeam? via the foswiki-security mailing list at mailto:foswiki-security@lists.sourceforge.net
  • The SecurityTaskTeam? triages the seriousness of the issue:
    • Severity 1 issue: The web server can be compromised
      • Example: Software can be installed and executed remotely
      • Responsiveness goal: Fix and alert within 24 hours
    • Severity 2 issue: The Foswiki installation is compromised
      • Example: The access control of the admin group can be circumvented
      • Responsiveness goal: Fix and alert within 48 hours
    • Severity 3 issue: Foswiki content or browser is compromised
      • Responsiveness goal: Handle as bugs report in Tasks web, no alert
  • Action for Severity 1 and 2 issues:
    • Verify issue
    • Create hotfix for affected Foswiki production releases
    • Initial alert: Alert foswiki-announce and foswiki-discuss mailing list members
    • After 2 day grace period, avoiding weekend: Issue a public security advisory
    • Create a patched production release or a Hot Fix for the latest production release within 7 days
  • Action for Priority 3 issue:
    • File a bug report in Tasks web.
    • Fix in development branch for upcoming Foswiki production release

Note that the security team can choose to delay the initial alert a few days if the fix is relatively easy to implement so the announcement can happen with a full patch release.

Security Alerts

  • Obtain a CVE number from Mitre.
  • Create a new alert topic using SecurityAlertCVETemplate? as template here in Development web. Make sure the name is SecurityAlert-CVE-Num-ber where Num-ber is the number from Mitre.
  • Make sure the new alert is protected so only the security task team and admins can read it
  • When ready move the topic to the Support web and remove the read protection.
Edit | Attach | Print version | History: r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r1 - 05 Oct 2009 - 04:42:42 - CoriaXu
 
This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback