Of course, I implied this policy to be in line with http://www.apache.org/security/
Best regards, Pierre Smits ORRTIZ.COM <http://www.orrtiz.com> OFBiz based solutions & services OFBiz Extensions Marketplace http://oem.ofbizci.net/oci-2/ On Tue, Nov 29, 2016 at 10:59 AM, Nicolas Malin <[email protected]> wrote: > Yes I agree with Jacopo, when can create the issue only when they are > corrected > > Nicolas > > > > Le 29/11/2016 à 10:55, Jacopo Cappellato a écrit : > >> We can definitely create one Jira ticket for each CVE number with all the >> details we want and link them from the "security" section of the OFBiz >> download page. >> This was probably implied in Pierre's proposal, but I prefer to explicitly >> state here: these tickets will be created only after the CVE are publicly >> disclosed (i.e. the tickets will be created and resolved at the same >> time). >> The good news is that we can create now all the tickets for the CVE >> processed so far in the history of OFBiz, in order to implement what >> Pierre >> has proposed here. >> >> Jacopo >> >> On Tue, Nov 29, 2016 at 10:47 AM, Pierre Smits <[email protected]> >> wrote: >> >> Hi all, >>> >>> Recently we have seen some security issues fixed in the code base >>> (CVE-2016-6800 and CVE-2016-4462). Thanks to all who participated in >>> identifying, analysing and fixing these OFBiz security threats. >>> >>> When I look at how we communicate to our adopters that there are threats >>> and how they can be mitigated [1] I believe we could and we should do a >>> little bit more. There we merely put a reference to the CVE [2] issue >>> (see >>> [3] for example) there and and advice to upgrade. But on that page we >>> leave >>> out any particulars on how the issue affected OFBiz and what was done to >>> it. Rightly so as it is just a list of notifications. >>> >>> The details about the effect of the issue and the mitigation is in >>> commits. >>> But there is no apparent relation between the notification on [1] and the >>> actual commit that mitigated. Also reporting the CVE in JIRA issues not >>> optimal. This leads to the fact that details don't appear in release >>> notes >>> very well. >>> >>> I believe we could and should do better. We should *always* have a JIRA >>> issue explaining the CVE issue and its effect on the OFBiz product, have >>> it >>> enhanced with the proper tags or labels (e.g. CVE/Security), and - like >>> any >>> other JIRA issue - have it showing with which commit(s) it has been >>> resolved and on which branch it has been implemented. >>> >>> With a proper filter definition on JIRA we can then shorten the >>> vulnerability section in [1] and have that link to that JIRA filter >>> definition. >>> >>> What do you think? >>> >>> References: >>> >>> - [1] http://ofbiz.apache.org/download.html >>> - [2] CVE: Common Vulnerability and Exposure >>> - [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6800 >>> >>> >>> Best regards, >>> >>> Pierre Smits >>> >>> ORRTIZ.COM <http://www.orrtiz.com> >>> OFBiz based solutions & services >>> >>> OFBiz Extensions Marketplace >>> http://oem.ofbizci.net/oci-2/ >>> >>> >
