Re: [Zope-dev] Resolved security-related collector issues for the public?
Maik Jablonski wrote at 2004-1-21 21:20 +0100: > ... >My proposal: Can we have a delay for making security-related fixes public? >Just a month or two or so... -1 Most of the potential exploits have rather strict requirements (such as creation of executable content by untrusted users). Thus, few installations are really affected. At least I will not upgrade software when I get only a vague indication about some security fixes (without a clear indication what security issues are solved). -- Dieter ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Resolved security-related collector issues for the public?
Jamie Heilman writes: > Clemens Robbenhaar wrote: > > malicious Python Scripts on my site (I guess ;-), and I do not use DTML > > or some Tree-stuff -- thus I did not upgrade yet, and You may feel free > > Actually... unless you've altered the ZMI and HelpSys, you do use > dtml-tree ...and HelpSys is publically traversable by default. Thanks for the clarification. I just tried to argue from a rather ignorant point of view ... I could argue some more about why these issues look not so dangerous to me, but even if I try hard, I cannot be so ignorant ;) Actually I only tried to point out that if someone would tell me there is another yet not published issue that would allow to read the password of my users TTW or the like, this would make me upgrade even in very ignorant mode. However when obscuring these issue this will ignorant (or just busy) admins not help a lot; they will upgrade after these issues are published, not after the fixes are released ... meanwhile black hats checking with the CVS may have their exploits applied already. About the current discussion of a security (non-)disclosure policy: I would be happy with a policy which makes security issues public if a fix from the public CVS is available. (Well, I am running Zope form the CVS, so my position is maybe a little biased ;-) Cheers, Clemens ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Resolved security-related collector issues for the public?
Clemens Robbenhaar wrote: > malicious Python Scripts on my site (I guess ;-), and I do not use DTML > or some Tree-stuff -- thus I did not upgrade yet, and You may feel free Actually... unless you've altered the ZMI and HelpSys, you do use dtml-tree ...and HelpSys is publically traversable by default. -- Jamie Heilman http://audible.transient.net/~jamie/ "...thats the metaphorical equivalent of flopping your wedding tackle into a lion's mouth and flicking his lovespuds with a wet towel, pure insanity..." -Rimmer ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] Resolved security-related collector issues for the public?
[...] > there were several security-related fixes in the collector (and the > collector-mailing-list) in the last days. Normaly security-related stuff is > not visible for the public... and this seems to be good to avoid exploits > etc. At least for the resolved issues the fixed are public available from the CVS (maybe even together with log messages). Sufficiently skilled people thus can reconstruct the security issues from the changes; I feel there is no point for hiding them any longer. On the other hand admins may be less pressed to upgrade if they look at the current available list of fixes and find none which hurts them in their setup ... for example I do not have untrusted users able to write malicious Python Scripts on my site (I guess ;-), and I do not use DTML or some Tree-stuff -- thus I did not upgrade yet, and You may feel free to blow my site with one of the not yet published issues. my 2 cents, Clemens btw: it does not look like either zope.org nor zope.com has been upgraded yet? The find-support still looks quite public ... ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Resolved security-related collector issues for the public?
On Wednesday 21 January 2004 03:21 pm, Jamie Heilman wrote: > Hiding the bugs doesn't avoid anything, it just leaves zope > administrators helpless in the dark. I'm not going to rehash the > arguments for and against full dislosure, but seriously--don't delude > yourself into thinking that a problem goes away if you shut your eyes > tightly enough. Hear, hear! Consider also the position of someone who writes their own product code -- if potential exploits are know to exist with specific Zope functionality, it may be desireable to make design changes to compensate. Or at least, we know to pass that information on to users of our products. Not knowing puts us in a very uncertain position -- which I think is far worse for Zope's reputation than any specific set of known defects. What's more, that reputation may rub off on the rest of us. ;-) "Uncertainty" is the "U" in "FUD", remember. Cheers, Terry ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Resolved security-related collector issues for the public?
Maik Jablonski wrote: > Normaly security-related stuff is not visible for the public... and > this seems to be good to avoid exploits etc. Hiding the bugs doesn't avoid anything, it just leaves zope administrators helpless in the dark. I'm not going to rehash the arguments for and against full dislosure, but seriously--don't delude yourself into thinking that a problem goes away if you shut your eyes tightly enough. > Lots of security-stuff is fixed now, but I don't think that all people will > migrate their servers as soon as possible (due to limited time, the > experience of the Zope-2.6.3-"desaster", vacations, etc.pp.). Sure, thats true of every security hole. > With all the mentioned security-exploits in the collector out there, the > probability of attacks will rise. And I don't think that this will shed a > "good light" on Zope. meh. Good, bad, its irrelevant, but you can't pretend there weren't problems and expect anyone with a shred of a clue to take you seriously. If you want to establish trust, you can be honest with your community, or you can do a lot of hand waving trying to cover things up and make yourself look even worse. > My proposal: Can we have a delay for making security-related fixes public? > Just a month or two or so... Every hole thats been fixed has been publically known and detailed for well over 4 months at the latest, with the exceptions of: 615 & 1154 - sessioning machinery was losing security context 924 - object properties stored as unprotected mutables All the unrestricted operations in RestrictedPython that were found as a result of ZC's security audit. (And possibly the unicode crashing issue, which I think got discussed on a public list or something fairly recently.) Delays are pointless. The broken sessioning machinery was sitting in the collector for a year and 3 months. During that time 2 different people uncovered the issue (presumebly) independantly, and reported it. How many uncovered it and didn't report it? How exactly was ZC supposed to release a new version of Zope with the fixes but at the same time not divulge the nature of the security flaws? Release an obsfucated binary distribution and say "Trust Us"? That doesn't sound very much like open source. -- Jamie Heilman http://audible.transient.net/~jamie/ "You came all this way, without saying squat, and now you're trying to tell me a '56 Chevy can beat a '47 Buick in a dead quarter mile? I liked you better when you weren't saying squat kid." -Buddy ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] Resolved security-related collector issues for the public?
Hi, there were several security-related fixes in the collector (and the collector-mailing-list) in the last days. Normaly security-related stuff is not visible for the public... and this seems to be good to avoid exploits etc. Lots of security-stuff is fixed now, but I don't think that all people will migrate their servers as soon as possible (due to limited time, the experience of the Zope-2.6.3-"desaster", vacations, etc.pp.). With all the mentioned security-exploits in the collector out there, the probability of attacks will rise. And I don't think that this will shed a "good light" on Zope. My proposal: Can we have a delay for making security-related fixes public? Just a month or two or so... Cheers, Maik ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )