The foswiki svn repository will become read-only on Friday 8/8. Developers should register for a http://github.com/ account for commit access to foswiki.

Foswiki Security Alert Process

I discovered a security issue. Now What?

ALERT! Important: In case you think that you discovered a security issue that could potentially compromise Foswiki installations, please send an e-mail to the SecurityTaskTeam via the foswiki-security mailing list at mailto:foswiki-security@lists.sourceforge.net. We will follow up in a timely manner with a fix and will inform administrators before the issue gets public.

Note: You cannot subscribe to the foswiki-security mailing list. It is for the security team only. To keep yourself up to date with security announcements please subscribe to the foswiki-announce mailing list

How can I get notified of security issues?

  • Please subscribe to the foswiki-announce mailing list to get updates on new Foswiki releases and Foswiki vulnerabilities in a timely manner. See MailingLists for information about Foswiki mailing lists and how to subscribe to them.

Security Alert Process

The Foswiki community is trying its best to provide a hotfix and to send SecurityAlerts to Foswiki site administrators in a timely manner.

  • Someone sends an e-mail to the SecurityTaskTeam via the foswiki-security mailing list at mailto:foswiki-security@lists.sourceforge.net
  • The SecurityTaskTeam triages the seriousness of the issue:
    • Severity 1 issue: The web server can be compromised
      • Example: Software can be installed and executed remotely
      • Example: User input can result in severe Denial of Service. (Swap space exhaustion and crash)
      • Responsiveness goal: Fix and alert within 24 hours
    • Severity 2 issue: The Foswiki installation is compromised
      • Example: The access control of the admin group can be circumvented
      • Responsiveness goal: Fix and alert within 48 hours
    • Severity 3 issue: Foswiki content or browser is compromised
      • Responsiveness goal: Handle as bugs report in Tasks web, no alert
  • Action for Severity 1 and 2 issues:
    • Verify issue
    • Create hotfix for affected Foswiki production releases
    • Obtain CVE
    • Initial alert: Alert foswiki-announce and foswiki-discuss mailing list members
    • After 2 day grace period, avoiding weekend: Issue a public security advisory
    • Create a patched production release or a Hot Fix for the latest production release within 7 days
  • Action for Priority 3 issue:
    • File a bug report in Tasks web.
    • Fix in development branch for upcoming Foswiki production release
    • Create non-CVE alert if appropriate.

Note that the security team can choose to delay the initial alert a few days if the fix is relatively easy to implement so the announcement can happen with a full patch release.

Developer generated security alerts

Severity 1 and 2 alerts

  • Obtain a CVE number from Mitre. (Send details of the exploit to cve-assign@mitre.org )
  • Create a new alert topic using SecurityAlertCVETemplate as a template in the Support web. Make sure the name is SecurityAlert-CVE-Num-ber where Num-ber is the number from Mitre.
  • Make sure the new alert is protected so only the security task team and admins can read it
  • When ready remove the read protection.

Severity 3 alerts

  • Create a new alert topic using SecurityAlertCVETemplate as a template in the Support web. Make sure the name is SecurityAlert-<SomeName>-YYYY-MMDD.
  • Make sure the new alert is protected so only the security task team and admins can read it
  • When ready remove the read protection.
Topic revision: r8 - 02 Aug 2013, MichaelDaum
 
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. see CopyrightStatement. Creative Commons License