Re: OFBiz security issues

[Jacques Le Roux <ja...@les7arts.com>]

Done, I added the CVE label to all concerned issues I found

Jacques


Le 30/11/2016 � 10:13, Jacques Le Roux a �crit :
> +1 for tags
>
> Tthere are only few OFBIZ-1525 subtasks which are related to a CVE. I can add the CVE tags in them and in future we can just create tasks with the 
> CVE tag
>
> Agreed?
>
> Jacques
>
>
> Le 30/11/2016 � 00:02, Paul Foxworthy a �crit :
>> Hi all,
>>
>> Using JIRA is a good idea, and we need to be able to find them. But a
>> security issue is not a subtask and not a component. I think a tag will
>> work fine.
>>
>> Thanks
>>
>> Paul
>>
>>
>> On 30 November 2016 at 00:42, Jacopo Cappellato <
>> jacopo.cappellato@hotwaxsystems.com> wrote:
>>
>>> Tags or components are fine to me (you can specify more than one component
>>> to each ticket); I agree that a tag may be more appropriate for this use
>>> case. My preference is just to not use subtasks.
>>>
>>> Jacopo
>>>
>>> On Tue, Nov 29, 2016 at 2:13 PM, Pierre Smits <pi...@gmail.com>
>>> wrote:
>>>
>>>> Well...
>>>>
>>>> CVEs can occur on any component (even though past issues have been
>>> related
>>>> for most to framework components. So having a particular component just
>>> for
>>>> CVE reference purposes would complicate matters as much as converting
>>> JIRA
>>>> issues into sub-tasks.
>>>>
>>>> Applying a tag to the issue (e.g. CVE) and using a persisted filter in
>>> JIRA
>>>> would be sufficient to link to from the download page (and elsewhere e.g.
>>>> the 'keeping OFBiz secure' cwiki page.
>>>>
>>>> Best regards,
>>>>
>>>>
>>>>
>>>>
>>>> Pierre Smits
>>>>
>>>> ORRTIZ.COM <http://www.orrtiz.com>
>>>> OFBiz based solutions & services
>>>>
>>>> OFBiz Extensions Marketplace
>>>> http://oem.ofbizci.net/oci-2/
>>>>
>>>> On Tue, Nov 29, 2016 at 2:04 PM, Jacopo Cappellato <
>>>> jacopo.cappellato@hotwaxsystems.com> wrote:
>>>>
>>>>> Rather than using subtasks I think it would be better to use a
>>> component
>>>>> (named CVE or similar).
>>>>>
>>>>> Il 29 Nov 2016 1:50 PM, "Jacques Le Roux" <
>>> jacques.le.roux@les7arts.com>
>>>>> ha
>>>>> scritto:
>>>>>
>>>>>> Also it would be better if we can group all security issues in Jira.
>>>> For
>>>>>> that I created OFBIZ-1525, please if you create Jira security issues
>>>>> create
>>>>>> (or convert) them as subtasks of OFBIZ-1525
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>> Jacques
>>>>>>
>>>>>>
>>>>>> Le 29/11/2016 � 11:05, Pierre Smits a �crit :
>>>>>>
>>>>>>> Of course, I implied this policy to be in line with
>>>>>>> http://www.apache.org/security/
>>>>>>>
>>>>>>> Best regards,
>>>>>>>
>>>>>>> Pierre Smits
>>>>>>>
>>>>>>> ORRTIZ.COM <http://www.orrtiz.com>
>>>>>>> OFBiz based solutions & services
>>>>>>>
>>>>>>> OFBiz Extensions Marketplace
>>>>>>> http://oem.ofbizci.net/oci-2/
>>>>>>>
>>>>>>> On Tue, Nov 29, 2016 at 10:59 AM, Nicolas Malin <
>>>>> nicolas.malin@nereide.fr
>>>>>>> wrote:
>>>>>>>
>>>>>>> Yes I agree with Jacopo, when can create the issue only when they
>>> are
>>>>>>>> corrected
>>>>>>>>
>>>>>>>> Nicolas
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Le 29/11/2016 � 10:55, Jacopo Cappellato a �crit :
>>>>>>>>
>>>>>>>> We can definitely create one Jira ticket for each CVE number with
>>> all
>>>>> the
>>>>>>>>> details we want and link them from the "security" section of the
>>>> OFBiz
>>>>>>>>> download page.
>>>>>>>>> This was probably implied in Pierre's proposal, but I prefer to
>>>>>>>>> explicitly
>>>>>>>>> state here: these tickets will be created only after the CVE are
>>>>>>>>> publicly
>>>>>>>>> disclosed (i.e. the tickets will be created and resolved at the
>>> same
>>>>>>>>> time).
>>>>>>>>> The good news is that we can create now all the tickets for the
>>> CVE
>>>>>>>>> processed so far in the history of OFBiz, in order to implement
>>> what
>>>>>>>>> Pierre
>>>>>>>>> has proposed here.
>>>>>>>>>
>>>>>>>>> Jacopo
>>>>>>>>>
>>>>>>>>> On Tue, Nov 29, 2016 at 10:47 AM, Pierre Smits <
>>>>> pierre.smits@gmail.com>
>>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>> Hi all,
>>>>>>>>>
>>>>>>>>>> Recently we have seen some security issues fixed in the code base
>>>>>>>>>> (CVE-2016-6800 and CVE-2016-4462). Thanks to all who participated
>>>> in
>>>>>>>>>> identifying, analysing and fixing these OFBiz security threats.
>>>>>>>>>>
>>>>>>>>>> When I look at how we communicate to our adopters that there are
>>>>>>>>>> threats
>>>>>>>>>> and how they can be mitigated [1] I believe we could and we
>>> should
>>>>> do a
>>>>>>>>>> little bit more. There we merely put a reference to the CVE [2]
>>>> issue
>>>>>>>>>> (see
>>>>>>>>>> [3] for example) there and and advice to upgrade. But on that
>>> page
>>>> we
>>>>>>>>>> leave
>>>>>>>>>> out any particulars on how the issue affected OFBiz and what was
>>>> done
>>>>>>>>>> to
>>>>>>>>>> it. Rightly so as it is just a list of notifications.
>>>>>>>>>>
>>>>>>>>>> The details about the effect of the issue and the mitigation is
>>> in
>>>>>>>>>> commits.
>>>>>>>>>> But there is no apparent relation between the notification on [1]
>>>> and
>>>>>>>>>> the
>>>>>>>>>> actual commit that mitigated. Also reporting the CVE in JIRA
>>> issues
>>>>> not
>>>>>>>>>> optimal. This leads to the fact that details don't appear in
>>>> release
>>>>>>>>>> notes
>>>>>>>>>> very well.
>>>>>>>>>>
>>>>>>>>>> I believe we could and should do better. We should *always* have
>>> a
>>>>> JIRA
>>>>>>>>>> issue explaining the CVE issue and its effect on the OFBiz
>>> product,
>>>>>>>>>> have
>>>>>>>>>> it
>>>>>>>>>> enhanced with the proper tags or labels (e.g. CVE/Security), and
>>> -
>>>>> like
>>>>>>>>>> any
>>>>>>>>>> other JIRA issue - have it showing with which commit(s) it has
>>> been
>>>>>>>>>> resolved and on which branch it has been implemented.
>>>>>>>>>>
>>>>>>>>>> With a proper filter definition on JIRA we can then shorten the
>>>>>>>>>> vulnerability section in [1] and have that link to that JIRA
>>> filter
>>>>>>>>>> definition.
>>>>>>>>>>
>>>>>>>>>> What do you think?
>>>>>>>>>>
>>>>>>>>>> References:
>>>>>>>>>>
>>>>>>>>>>       - [1] http://ofbiz.apache.org/download.html
>>>>>>>>>>       - [2] CVE: Common Vulnerability and Exposure
>>>>>>>>>>       - [3] http://cve.mitre.org/cgi-bin/
>>>>> cvename.cgi?name=CVE-2016-6800
>>>>>>>>>>
>>>>>>>>>> Best regards,
>>>>>>>>>>
>>>>>>>>>> Pierre Smits
>>>>>>>>>>
>>>>>>>>>> ORRTIZ.COM <http://www.orrtiz.com>
>>>>>>>>>> OFBiz based solutions & services
>>>>>>>>>>
>>>>>>>>>> OFBiz Extensions Marketplace
>>>>>>>>>> http://oem.ofbizci.net/oci-2/
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>
>>
>