Yes I agree with Jacopo, when can create the issue only when they are
corrected
Nicolas
Le 29/11/2016 à 10:55, Jacopo Cappellato a écrit :
We can definitely create one Jira ticket for each CVE number with all the
details we want and link them from the "security" section of the OFBiz
download page.
This was probably implied in Pierre's proposal, but I prefer to explicitly
state here: these tickets will be created only after the CVE are publicly
disclosed (i.e. the tickets will be created and resolved at the same time).
The good news is that we can create now all the tickets for the CVE
processed so far in the history of OFBiz, in order to implement what Pierre
has proposed here.
Jacopo
On Tue, Nov 29, 2016 at 10:47 AM, Pierre Smits <pierre.sm...@gmail.com>
wrote:
Hi all,
Recently we have seen some security issues fixed in the code base
(CVE-2016-6800 and CVE-2016-4462). Thanks to all who participated in
identifying, analysing and fixing these OFBiz security threats.
When I look at how we communicate to our adopters that there are threats
and how they can be mitigated [1] I believe we could and we should do a
little bit more. There we merely put a reference to the CVE [2] issue (see
[3] for example) there and and advice to upgrade. But on that page we leave
out any particulars on how the issue affected OFBiz and what was done to
it. Rightly so as it is just a list of notifications.
The details about the effect of the issue and the mitigation is in commits.
But there is no apparent relation between the notification on [1] and the
actual commit that mitigated. Also reporting the CVE in JIRA issues not
optimal. This leads to the fact that details don't appear in release notes
very well.
I believe we could and should do better. We should *always* have a JIRA
issue explaining the CVE issue and its effect on the OFBiz product, have it
enhanced with the proper tags or labels (e.g. CVE/Security), and - like any
other JIRA issue - have it showing with which commit(s) it has been
resolved and on which branch it has been implemented.
With a proper filter definition on JIRA we can then shorten the
vulnerability section in [1] and have that link to that JIRA filter
definition.
What do you think?
References:
- [1] http://ofbiz.apache.org/download.html
- [2] CVE: Common Vulnerability and Exposure
- [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6800
Best regards,
Pierre Smits
ORRTIZ.COM <http://www.orrtiz.com>
OFBiz based solutions & services
OFBiz Extensions Marketplace
http://oem.ofbizci.net/oci-2/
