Foswiki Security Alert Process

I discovered a security issue. Now What?

ALERT! Important: In case you think that you discovered a security issue that could potentially compromise Foswiki installations, please send an e-mail to the SecurityTaskTeam via the foswiki-security mailing list at mailto:foswiki-security@foswiki.org. We will follow up in a timely manner with a fix and will inform administrators before the issue gets public.

Note: You cannot subscribe to the foswiki-security mailing list. It is for the security team only. To keep yourself up to date with security announcements please subscribe to the foswiki-announce mailing list

How can I get notified of security issues?

  • Please subscribe to the foswiki-announce mailing list to get updates on new Foswiki releases and Foswiki vulnerabilities in a timely manner. See MailingLists for information about Foswiki mailing lists and how to subscribe to them.

Security Alert Process

The Foswiki community is trying its best to provide a hotfix and to send SecurityAlerts to Foswiki site administrators in a timely manner.

  • Someone sends an e-mail to the SecurityTaskTeam via the foswiki-security mailing list at mailto:foswiki-security@foswiki.org
  • The SecurityTaskTeam triages the seriousness of the issue:
    • Severity 1 issue: The web server can be compromised
      • Example: Software can be installed and executed remotely
      • Example: User input can result in severe Denial of Service. (Swap space exhaustion and crash)
      • Responsiveness goal: Fix and alert within 24 hours
    • Severity 2 issue: The Foswiki installation is compromised
      • Example: The access control of the admin group can be circumvented
      • Responsiveness goal: Fix and alert within 48 hours
    • Severity 3 issue: Foswiki content or browser is compromised
      • Responsiveness goal: Handle as bugs report in Tasks web, no alert
  • Action for Severity 1 and 2 issues:
    • Verify issue
    • Create hotfix for affected Foswiki production releases
    • Obtain CVE
    • Initial alert: Alert foswiki-announce and foswiki-discuss mailing list members
    • After 2 day grace period, avoiding weekend: Issue a public security advisory
    • Create a patched production release or a Hot Fix for the latest production release within 7 days
  • Action for Priority 3 issue:
    • File a bug report in Tasks web.
    • Fix in development branch for upcoming Foswiki production release
    • Create non-CVE alert if appropriate.

Note that the security team can choose to delay the initial alert a few days if the fix is relatively easy to implement so the announcement can happen with a full patch release.

Developer generated security alerts

Severity 1 and 2 alerts

  • Obtain a CVE number from Mitre. (Send details of the exploit to cve-assign@mitre.org )
  • Create a new alert topic using SecurityAlertCVETemplate as a template in the Support web. Make sure the name is SecurityAlert-CVE-Num-ber where Num-ber is the number from Mitre.
  • Make sure the new alert is protected so only the security task team and admins can read it
  • When ready remove the read protection.

Severity 3 alerts

  • Create a new alert topic using SecurityAlertCVETemplate as a template in the Support web. Make sure the name is SecurityAlert-<SomeName>-YYYY-MMDD.
  • Make sure the new alert is protected so only the security task team and admins can read it
  • When ready remove the read protection.
Topic revision: r10 - 09 Oct 2017, MarkusUeberall
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy