You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@brooklyn.apache.org by rdowner <gi...@git.apache.org> on 2017/02/10 16:24:33 UTC
[GitHub] brooklyn-docs pull request #149: Add our security advisories to public websi...
GitHub user rdowner opened a pull request:
https://github.com/apache/brooklyn-docs/pull/149
Add our security advisories to public website
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/rdowner/brooklyn-docs security-update-feb2017
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/brooklyn-docs/pull/149.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #149
----
commit 40bab8fb1c7e40124b6e5b01ada691411cc85228
Author: Richard Downer <ri...@apache.org>
Date: 2017-02-10T16:06:09Z
Security advisories
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] brooklyn-docs pull request #149: Add our security advisories to public websi...
Posted by drigodwin <gi...@git.apache.org>.
Github user drigodwin commented on a diff in the pull request:
https://github.com/apache/brooklyn-docs/pull/149#discussion_r100573525
--- Diff: website/community/security/CVE-2016-8737.md ---
@@ -0,0 +1,40 @@
+---
+layout: website-normal
+title: "CVE-2016-8737: Cross-site request forgery vulnerability in Apache Brooklyn"
+---
+
+## Severity
+Major
+
+## Vendor
+The Apache Software Foundation
+
+## Versions Affected
+Apache Brooklyn 0.9.0 and all prior versions
+
+## Description
+Apache Brooklyn's REST server is vulnerable to cross-site request forgery (CSRF), which could permit a malicious web site to produce a link which, if clicked whilst a user is logged in to Brooklyn, would cause the server to execute the attacker's commands as the user. There is known to be a proof-of-concept exploit using this vulnerability.
+
+## Solution
+Upgrade to Apache Brooklyn 0.10.0. This includes commit [1] adding opt-in CSRF protection server-side and commit [2] where the JS client opts-in.
+
+## Temporary mitigation if you cannot upgrade to 0.10.0
+Do not visit websites with possible malicious content targeted at you in the same browser instance logged in to Brooklyn unless you have CSRF-POST protection installed in the browser (see [3]). Do not share a Brooklyn server with untrusted users without an enhanced entitlements scheme. Do not publicize the address of Brooklyn-based UIs. If a link you click on takes you to Brooklyn unexpectedly, contact your security team immediately.
--- End diff --
'targeted at you' is unnecessary
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] brooklyn-docs pull request #149: Add our security advisories to public websi...
Posted by asfgit <gi...@git.apache.org>.
Github user asfgit closed the pull request at:
https://github.com/apache/brooklyn-docs/pull/149
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] brooklyn-docs issue #149: Add our security advisories to public website
Posted by rdowner <gi...@git.apache.org>.
Github user rdowner commented on the issue:
https://github.com/apache/brooklyn-docs/pull/149
Thanks @drigodwin - would rather avoid changing text content as advisories already published elsewhere but take your point about the links. I'll make amendments and then merge myself. Thanks for the review!
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] brooklyn-docs pull request #149: Add our security advisories to public websi...
Posted by drigodwin <gi...@git.apache.org>.
Github user drigodwin commented on a diff in the pull request:
https://github.com/apache/brooklyn-docs/pull/149#discussion_r100572351
--- Diff: website/community/security/CVE-2016-8737.md ---
@@ -0,0 +1,40 @@
+---
+layout: website-normal
+title: "CVE-2016-8737: Cross-site request forgery vulnerability in Apache Brooklyn"
+---
+
+## Severity
+Major
+
+## Vendor
+The Apache Software Foundation
+
+## Versions Affected
+Apache Brooklyn 0.9.0 and all prior versions
+
+## Description
+Apache Brooklyn's REST server is vulnerable to cross-site request forgery (CSRF), which could permit a malicious web site to produce a link which, if clicked whilst a user is logged in to Brooklyn, would cause the server to execute the attacker's commands as the user. There is known to be a proof-of-concept exploit using this vulnerability.
+
+## Solution
+Upgrade to Apache Brooklyn 0.10.0. This includes commit [1] adding opt-in CSRF protection server-side and commit [2] where the JS client opts-in.
--- End diff --
I would make the reference numbers links to either the source article or the references. Perhaps make Apache Booklyn 0.10.0 a link to the download page?
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---