Re: [TWiki-Dev] Security process

[Peter T. <pet...@at...>]

Dear Florian,

we are still adjusting to the improved process. I just subscribed
all core team members to the twiki-security list and added you
and Andrew Moise as well since you are so helpful on improving
the TWiki security. Please follow up on this list.

We will also add all folks who have svn commit access to the list.

All: The twi...@li... list is open for
anyone to post. The intent is to make it easy to alert the
security team and core developers of potential issues.

Regards,
Peter


Florian Weimer wrote:
> 
> So what's the correct security process today?  Is twiki-security still
> the correct mailing list?  I'm somewhat confused because it appears as
> if I'm subscribed to this mailing list and I'm not sure how this
> happened and how I qualify.
> 
> Anyway, I've submitted a potential Priority 1 issue (server-side code
> execution) affecting a plugin that is shipped on twiki.org to
> twiki-core, but haven't received a reply so far.  There several more
> potential Priority 1 issues to come (including at least one in a
> pre-installed plugin, if I read the Cairo release notes correctly),
> and I'm not sure if I've got the time to properly coordinate them
> according to the security process.
> 
> I'm writing "potential" because haven't written exploit code.
> Usually, I can patch two vulnerablities in the time I write one
> exploit, so writing exploits is not cost-effective: it's cheaper to
> patch the questionable code myself than to force others to do it for
> me.  I'm also facing problem that the TWiki installation which needs
> these security fixes runs on a large multi-user machine, and the
> changes are bound to leak some day, so keeping the holes private
> forever (after quietly fixing them) isn't an option.

--
   * Peter Thoeny                           Peter@Thoeny.com
   * Is your team already TWiki enabled?    http://TWiki.org
   * This e-mail is:  (x) public  (_) ask first  (_) private