We can definitely create one Jira ticket for each CVE number with all the details we want and link them from the "security" section of the OFBiz download page. This was probably implied in Pierre's proposal, but I prefer to explicitly state here: these tickets will be created only after the CVE are publicly disclosed (i.e. the tickets will be created and resolved at the same time). The good news is that we can create now all the tickets for the CVE processed so far in the history of OFBiz, in order to implement what Pierre has proposed here.
Jacopo On Tue, Nov 29, 2016 at 10:47 AM, Pierre Smits <pierre.sm...@gmail.com> wrote: > Hi all, > > Recently we have seen some security issues fixed in the code base > (CVE-2016-6800 and CVE-2016-4462). Thanks to all who participated in > identifying, analysing and fixing these OFBiz security threats. > > When I look at how we communicate to our adopters that there are threats > and how they can be mitigated [1] I believe we could and we should do a > little bit more. There we merely put a reference to the CVE [2] issue (see > [3] for example) there and and advice to upgrade. But on that page we leave > out any particulars on how the issue affected OFBiz and what was done to > it. Rightly so as it is just a list of notifications. > > The details about the effect of the issue and the mitigation is in commits. > But there is no apparent relation between the notification on [1] and the > actual commit that mitigated. Also reporting the CVE in JIRA issues not > optimal. This leads to the fact that details don't appear in release notes > very well. > > I believe we could and should do better. We should *always* have a JIRA > issue explaining the CVE issue and its effect on the OFBiz product, have it > enhanced with the proper tags or labels (e.g. CVE/Security), and - like any > other JIRA issue - have it showing with which commit(s) it has been > resolved and on which branch it has been implemented. > > With a proper filter definition on JIRA we can then shorten the > vulnerability section in [1] and have that link to that JIRA filter > definition. > > What do you think? > > References: > > - [1] http://ofbiz.apache.org/download.html > - [2] CVE: Common Vulnerability and Exposure > - [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6800 > > > Best regards, > > Pierre Smits > > ORRTIZ.COM <http://www.orrtiz.com> > OFBiz based solutions & services > > OFBiz Extensions Marketplace > http://oem.ofbizci.net/oci-2/ >
