Handling of security fixes from a distribution point of view

Topic: Handling of security fixes from a distribution point of view (Read 3124 times) previous topic - next topic

0 Members and 1 Guest are viewing this topic.

Handling of security fixes from a distribution point of view

September 22, 2014, 11:36:52 am

I recently discovered a security issue in ElkArte^[1], it's nasty and rather easy to exploit.

So, thinking at how to fix it, I had also to think at how distribute the fix, and of course I faced the problem that in any way, there will be a period in which the vulnerability will be public and not all the forums will be protected.
There is no way around it.

So, I started to think at how to minimize that period.
The most obvious thing to do is postpone the commit of the fix until the moment of the release of the 1.0.1 version and patches, but this may leave open a window until anyone has applied the patch. Nothing new, it happened for years with SMF, but improvement is always a nice thing.
So I was thinking to use the WikiMedia approach. WikiMedia Foundation sends out an announcement a day before the release of the patch to inform that a security patch is going to be released. One day is not much to be sure the announcement has been read and the admin will be "ready to upgrade", so we may send it out two days before for the release.

That said, I started thinking about the technology to use.
Of course an announcements board would partially do the trick, though for the moment, we can send emails "immediately", but if the site grows, it could take time to send out mails. So I was thinking to mirror that announcement to some mailing list service like Google Groups (I created a group just now for fun

).

That should cover pretty much everything, I think.
Did I miss anything?
Did I become too much paranoid?

¹For the record, it's present in SMF as well.↵

Re: Handling of security fixes from a distribution point of view

Reply #1 – September 22, 2014, 04:06:34 pm

Maybe it's little crazy, but... you could send notification to admin center like you send info about new update, but it would be seen on every page inside it?

Re: Handling of security fixes from a distribution point of view

Reply #2 – September 22, 2014, 04:36:50 pm

That would be a nice alert, kind of like the admin session alert but in the red alert box.

Re: Handling of security fixes from a distribution point of view

Reply #3 – September 23, 2014, 01:40:08 am

Me likes this idea of a notification/warning!

But: You will send a notification that there will be a security fix two days before publishing the fix itself... So you know about the problem, but you will wait two or several days more to fix it? Why not fix it properly and as quick as possible? Must be a misunderstanding...

Re: Handling of security fixes from a distribution point of view

Reply #4 – September 23, 2014, 04:58:11 am

@phantom interesting idea.
At the moment there is a small barrier though: the system is tied to the github release function, so in order to create a new announcement we have to create a release at github... $:-\$
We may create a "fake" one on the patch branch and delete it once the "proper one" is created. We may try that as well.
For 1.1 we may add another "source" of notifications that we can better control... To think about it.

@Jorin there are two cases:
1) the vulnerability is already known to everybody (i.e. a "zero day"), in that case fix and publish the fix ASAP would be the most important thing,
2) the vulnerability is not public yet, in this case keep the details "secret" as much as possible is the most important thing, otherwise you would be in a situation where the forum is vulnerable, you don't know (yet) about it and an hacker knows about the vulnerability because "I" released the fix and you still have to receive the notification of the release.

In this specific case the bug has been around for years (likely since SMF 1.0) and there is no sign indicating the vulnerability is known to anyone apart from the few I shared it with. So avoid that the vulnerability can be used is the most important thing ^[1] and inform people in advance about the release seems the most sensible option to me.

¹actually it would be nice to be able to coordinate the release with SMF since the moment the fix is released by one of the two, the other side will be under a "zero day" situation↵

Re: Handling of security fixes from a distribution point of view

Reply #5 – September 23, 2014, 04:59:43 am

Thanks for the explanation!

Re: Handling of security fixes from a distribution point of view

Reply #6 – September 26, 2014, 01:11:35 am

For security updates to the admins, it would be nice to have an notification box that does not only appear in the admin section I think. I like Spuds idea of having it the same as the session notice.

Re: Handling of security fixes from a distribution point of view

Reply #7 – September 28, 2014, 06:42:09 pm

Use a service to send the emails. It will be faster and you don't have to worry about sending it.