OFBiz security issues

> Hi all,
>
> Recently we have seen some security issues fixed in the code base
> (CVE-2016-6800 and CVE-2016-4462). Thanks to all who participated in
> identifying, analysing and fixing these OFBiz security threats.
>
> When I look at how we communicate to our adopters that there are threats
> and how they can be mitigated [1] I believe we could and we should do a
> little bit more. There we merely put a reference to the CVE [2] issue (see
> [3] for example) there and and advice to upgrade. But on that page we leave
> out any particulars on how the issue affected OFBiz and what was done to
> it. Rightly so as it is just a list of notifications.
>
> The details about the effect of the issue and the mitigation is in commits.
> But there is no apparent relation between the notification on [1] and the
> actual commit that mitigated. Also reporting the CVE in JIRA issues not
> optimal. This leads to the fact that details don't appear in release notes
> very well.
>
> I believe we could and should do better. We should *always* have a JIRA
> issue explaining the CVE issue and its effect on the OFBiz product, have it
> enhanced with the proper tags or labels (e.g. CVE/Security), and - like any
> other JIRA issue - have it showing with which commit(s) it has been
> resolved and on which branch it has been implemented.
>
> With a proper filter definition on JIRA we can then shorten the
> vulnerability section in [1] and have that link to that JIRA filter
> definition.
>
> What do you think?
>
> References:
>
>    - [1] http://ofbiz.apache.org/download.html
>    - [2] CVE: Common Vulnerability and Exposure
>    - [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6800
>
>
> Best regards,
>
> Pierre Smits
>
> ORRTIZ.COM <http://www.orrtiz.com>
> OFBiz based solutions & services
>
> OFBiz Extensions Marketplace
> http://oem.ofbizci.net/oci-2/
>

> We can definitely create one Jira ticket for each CVE number with all the
> details we want and link them from the "security" section of the OFBiz
> download page.
> This was probably implied in Pierre's proposal, but I prefer to explicitly
> state here: these tickets will be created only after the CVE are publicly
> disclosed (i.e. the tickets will be created and resolved at the same time).
> The good news is that we can create now all the tickets for the CVE
> processed so far in the history of OFBiz, in order to implement what Pierre
> has proposed here.
>
> Jacopo
>
> On Tue, Nov 29, 2016 at 10:47 AM, Pierre Smits <[hidden email]>
> wrote:
>
>> Hi all,
>>
>> Recently we have seen some security issues fixed in the code base
>> (CVE-2016-6800 and CVE-2016-4462). Thanks to all who participated in
>> identifying, analysing and fixing these OFBiz security threats.
>>
>> When I look at how we communicate to our adopters that there are threats
>> and how they can be mitigated [1] I believe we could and we should do a
>> little bit more. There we merely put a reference to the CVE [2] issue (see
>> [3] for example) there and and advice to upgrade. But on that page we leave
>> out any particulars on how the issue affected OFBiz and what was done to
>> it. Rightly so as it is just a list of notifications.
>>
>> The details about the effect of the issue and the mitigation is in commits.
>> But there is no apparent relation between the notification on [1] and the
>> actual commit that mitigated. Also reporting the CVE in JIRA issues not
>> optimal. This leads to the fact that details don't appear in release notes
>> very well.
>>
>> I believe we could and should do better. We should *always* have a JIRA
>> issue explaining the CVE issue and its effect on the OFBiz product, have it
>> enhanced with the proper tags or labels (e.g. CVE/Security), and - like any
>> other JIRA issue - have it showing with which commit(s) it has been
>> resolved and on which branch it has been implemented.
>>
>> With a proper filter definition on JIRA we can then shorten the
>> vulnerability section in [1] and have that link to that JIRA filter
>> definition.
>>
>> What do you think?
>>
>> References:
>>
>>     - [1] http://ofbiz.apache.org/download.html
>>     - [2] CVE: Common Vulnerability and Exposure
>>     - [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6800
>>
>>
>> Best regards,
>>
>> Pierre Smits
>>
>> ORRTIZ.COM <http://www.orrtiz.com>
>> OFBiz based solutions & services
>>
>> OFBiz Extensions Marketplace
>> http://oem.ofbizci.net/oci-2/
>>

> Yes I agree with Jacopo, when can create the issue only when they are
> corrected
>
> Nicolas
>
>
>
> Le 29/11/2016 à 10:55, Jacopo Cappellato a écrit :
>
>> We can definitely create one Jira ticket for each CVE number with all the
>> details we want and link them from the "security" section of the OFBiz
>> download page.
>> This was probably implied in Pierre's proposal, but I prefer to explicitly
>> state here: these tickets will be created only after the CVE are publicly
>> disclosed (i.e. the tickets will be created and resolved at the same
>> time).
>> The good news is that we can create now all the tickets for the CVE
>> processed so far in the history of OFBiz, in order to implement what
>> Pierre
>> has proposed here.
>>
>> Jacopo
>>
>> On Tue, Nov 29, 2016 at 10:47 AM, Pierre Smits <[hidden email]>
>> wrote:
>>
>> Hi all,
>>>
>>> Recently we have seen some security issues fixed in the code base
>>> (CVE-2016-6800 and CVE-2016-4462). Thanks to all who participated in
>>> identifying, analysing and fixing these OFBiz security threats.
>>>
>>> When I look at how we communicate to our adopters that there are threats
>>> and how they can be mitigated [1] I believe we could and we should do a
>>> little bit more. There we merely put a reference to the CVE [2] issue
>>> (see
>>> [3] for example) there and and advice to upgrade. But on that page we
>>> leave
>>> out any particulars on how the issue affected OFBiz and what was done to
>>> it. Rightly so as it is just a list of notifications.
>>>
>>> The details about the effect of the issue and the mitigation is in
>>> commits.
>>> But there is no apparent relation between the notification on [1] and the
>>> actual commit that mitigated. Also reporting the CVE in JIRA issues not
>>> optimal. This leads to the fact that details don't appear in release
>>> notes
>>> very well.
>>>
>>> I believe we could and should do better. We should *always* have a JIRA
>>> issue explaining the CVE issue and its effect on the OFBiz product, have
>>> it
>>> enhanced with the proper tags or labels (e.g. CVE/Security), and - like
>>> any
>>> other JIRA issue - have it showing with which commit(s) it has been
>>> resolved and on which branch it has been implemented.
>>>
>>> With a proper filter definition on JIRA we can then shorten the
>>> vulnerability section in [1] and have that link to that JIRA filter
>>> definition.
>>>
>>> What do you think?
>>>
>>> References:
>>>
>>>     - [1] http://ofbiz.apache.org/download.html
>>>     - [2] CVE: Common Vulnerability and Exposure
>>>     - [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6800
>>>
>>>
>>> Best regards,
>>>
>>> Pierre Smits
>>>
>>> ORRTIZ.COM <http://www.orrtiz.com>
>>> OFBiz based solutions & services
>>>
>>> OFBiz Extensions Marketplace
>>> http://oem.ofbizci.net/oci-2/
>>>
>>>
>

> Of course, I implied this policy to be in line with
> http://www.apache.org/security/
>
> Best regards,
>
> Pierre Smits
>
> ORRTIZ.COM <http://www.orrtiz.com>
> OFBiz based solutions & services
>
> OFBiz Extensions Marketplace
> http://oem.ofbizci.net/oci-2/
>
> On Tue, Nov 29, 2016 at 10:59 AM, Nicolas Malin <[hidden email]>
> wrote:
>
>> Yes I agree with Jacopo, when can create the issue only when they are
>> corrected
>>
>> Nicolas
>>
>>
>>
>> Le 29/11/2016 à 10:55, Jacopo Cappellato a écrit :
>>
>>> We can definitely create one Jira ticket for each CVE number with all the
>>> details we want and link them from the "security" section of the OFBiz
>>> download page.
>>> This was probably implied in Pierre's proposal, but I prefer to explicitly
>>> state here: these tickets will be created only after the CVE are publicly
>>> disclosed (i.e. the tickets will be created and resolved at the same
>>> time).
>>> The good news is that we can create now all the tickets for the CVE
>>> processed so far in the history of OFBiz, in order to implement what
>>> Pierre
>>> has proposed here.
>>>
>>> Jacopo
>>>
>>> On Tue, Nov 29, 2016 at 10:47 AM, Pierre Smits <[hidden email]>
>>> wrote:
>>>
>>> Hi all,
>>>> Recently we have seen some security issues fixed in the code base
>>>> (CVE-2016-6800 and CVE-2016-4462). Thanks to all who participated in
>>>> identifying, analysing and fixing these OFBiz security threats.
>>>>
>>>> When I look at how we communicate to our adopters that there are threats
>>>> and how they can be mitigated [1] I believe we could and we should do a
>>>> little bit more. There we merely put a reference to the CVE [2] issue
>>>> (see
>>>> [3] for example) there and and advice to upgrade. But on that page we
>>>> leave
>>>> out any particulars on how the issue affected OFBiz and what was done to
>>>> it. Rightly so as it is just a list of notifications.
>>>>
>>>> The details about the effect of the issue and the mitigation is in
>>>> commits.
>>>> But there is no apparent relation between the notification on [1] and the
>>>> actual commit that mitigated. Also reporting the CVE in JIRA issues not
>>>> optimal. This leads to the fact that details don't appear in release
>>>> notes
>>>> very well.
>>>>
>>>> I believe we could and should do better. We should *always* have a JIRA
>>>> issue explaining the CVE issue and its effect on the OFBiz product, have
>>>> it
>>>> enhanced with the proper tags or labels (e.g. CVE/Security), and - like
>>>> any
>>>> other JIRA issue - have it showing with which commit(s) it has been
>>>> resolved and on which branch it has been implemented.
>>>>
>>>> With a proper filter definition on JIRA we can then shorten the
>>>> vulnerability section in [1] and have that link to that JIRA filter
>>>> definition.
>>>>
>>>> What do you think?
>>>>
>>>> References:
>>>>
>>>>      - [1] http://ofbiz.apache.org/download.html
>>>>      - [2] CVE: Common Vulnerability and Exposure
>>>>      - [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6800
>>>>
>>>>
>>>> Best regards,
>>>>
>>>> Pierre Smits
>>>>
>>>> ORRTIZ.COM <http://www.orrtiz.com>
>>>> OFBiz based solutions & services
>>>>
>>>> OFBiz Extensions Marketplace
>>>> http://oem.ofbizci.net/oci-2/
>>>>
>>>>

> Also it would be better if we can group all security issues in Jira. For
> that I created OFBIZ-1525, please if you create Jira security issues create
> (or convert) them as subtasks of OFBIZ-1525
>
> Thanks
>
> Jacques
>
>
> Le 29/11/2016 à 11:05, Pierre Smits a écrit :
>
>> Of course, I implied this policy to be in line with
>> http://www.apache.org/security/
>>
>> Best regards,
>>
>> Pierre Smits
>>
>> ORRTIZ.COM <http://www.orrtiz.com>
>> OFBiz based solutions & services
>>
>> OFBiz Extensions Marketplace
>> http://oem.ofbizci.net/oci-2/
>>
>> On Tue, Nov 29, 2016 at 10:59 AM, Nicolas Malin <[hidden email]
>> >
>> wrote:
>>
>> Yes I agree with Jacopo, when can create the issue only when they are
>>> corrected
>>>
>>> Nicolas
>>>
>>>
>>>
>>> Le 29/11/2016 à 10:55, Jacopo Cappellato a écrit :
>>>
>>> We can definitely create one Jira ticket for each CVE number with all the
>>>> details we want and link them from the "security" section of the OFBiz
>>>> download page.
>>>> This was probably implied in Pierre's proposal, but I prefer to
>>>> explicitly
>>>> state here: these tickets will be created only after the CVE are
>>>> publicly
>>>> disclosed (i.e. the tickets will be created and resolved at the same
>>>> time).
>>>> The good news is that we can create now all the tickets for the CVE
>>>> processed so far in the history of OFBiz, in order to implement what
>>>> Pierre
>>>> has proposed here.
>>>>
>>>> Jacopo
>>>>
>>>> On Tue, Nov 29, 2016 at 10:47 AM, Pierre Smits <[hidden email]>
>>>> wrote:
>>>>
>>>> Hi all,
>>>>
>>>>> Recently we have seen some security issues fixed in the code base
>>>>> (CVE-2016-6800 and CVE-2016-4462). Thanks to all who participated in
>>>>> identifying, analysing and fixing these OFBiz security threats.
>>>>>
>>>>> When I look at how we communicate to our adopters that there are
>>>>> threats
>>>>> and how they can be mitigated [1] I believe we could and we should do a
>>>>> little bit more. There we merely put a reference to the CVE [2] issue
>>>>> (see
>>>>> [3] for example) there and and advice to upgrade. But on that page we
>>>>> leave
>>>>> out any particulars on how the issue affected OFBiz and what was done
>>>>> to
>>>>> it. Rightly so as it is just a list of notifications.
>>>>>
>>>>> The details about the effect of the issue and the mitigation is in
>>>>> commits.
>>>>> But there is no apparent relation between the notification on [1] and
>>>>> the
>>>>> actual commit that mitigated. Also reporting the CVE in JIRA issues not
>>>>> optimal. This leads to the fact that details don't appear in release
>>>>> notes
>>>>> very well.
>>>>>
>>>>> I believe we could and should do better. We should *always* have a JIRA
>>>>> issue explaining the CVE issue and its effect on the OFBiz product,
>>>>> have
>>>>> it
>>>>> enhanced with the proper tags or labels (e.g. CVE/Security), and - like
>>>>> any
>>>>> other JIRA issue - have it showing with which commit(s) it has been
>>>>> resolved and on which branch it has been implemented.
>>>>>
>>>>> With a proper filter definition on JIRA we can then shorten the
>>>>> vulnerability section in [1] and have that link to that JIRA filter
>>>>> definition.
>>>>>
>>>>> What do you think?
>>>>>
>>>>> References:
>>>>>
>>>>>      - [1] http://ofbiz.apache.org/download.html
>>>>>      - [2] CVE: Common Vulnerability and Exposure
>>>>>      - [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6800
>>>>>
>>>>>
>>>>> Best regards,
>>>>>
>>>>> Pierre Smits
>>>>>
>>>>> ORRTIZ.COM <http://www.orrtiz.com>
>>>>> OFBiz based solutions & services
>>>>>
>>>>> OFBiz Extensions Marketplace
>>>>> http://oem.ofbizci.net/oci-2/
>>>>>
>>>>>
>>>>>
>

> Rather than using subtasks I think it would be better to use a component
> (named CVE or similar).
>
> Il 29 Nov 2016 1:50 PM, "Jacques Le Roux" <[hidden email]>
> ha
> scritto:
>
> > Also it would be better if we can group all security issues in Jira. For
> > that I created OFBIZ-1525, please if you create Jira security issues
> create
> > (or convert) them as subtasks of OFBIZ-1525
> >
> > Thanks
> >
> > Jacques
> >
> >
> > Le 29/11/2016 à 11:05, Pierre Smits a écrit :
> >
> >> Of course, I implied this policy to be in line with
> >> http://www.apache.org/security/
> >>
> >> Best regards,
> >>
> >> Pierre Smits
> >>
> >> ORRTIZ.COM <http://www.orrtiz.com>
> >> OFBiz based solutions & services
> >>
> >> OFBiz Extensions Marketplace
> >> http://oem.ofbizci.net/oci-2/
> >>
> >> On Tue, Nov 29, 2016 at 10:59 AM, Nicolas Malin <
> [hidden email]
> >> >
> >> wrote:
> >>
> >> Yes I agree with Jacopo, when can create the issue only when they are
> >>> corrected
> >>>
> >>> Nicolas
> >>>
> >>>
> >>>
> >>> Le 29/11/2016 à 10:55, Jacopo Cappellato a écrit :
> >>>
> >>> We can definitely create one Jira ticket for each CVE number with all
> the
> >>>> details we want and link them from the "security" section of the OFBiz
> >>>> download page.
> >>>> This was probably implied in Pierre's proposal, but I prefer to
> >>>> explicitly
> >>>> state here: these tickets will be created only after the CVE are
> >>>> publicly
> >>>> disclosed (i.e. the tickets will be created and resolved at the same
> >>>> time).
> >>>> The good news is that we can create now all the tickets for the CVE
> >>>> processed so far in the history of OFBiz, in order to implement what
> >>>> Pierre
> >>>> has proposed here.
> >>>>
> >>>> Jacopo
> >>>>
> >>>> On Tue, Nov 29, 2016 at 10:47 AM, Pierre Smits <
> [hidden email]>
> >>>> wrote:
> >>>>
> >>>> Hi all,
> >>>>
> >>>>> Recently we have seen some security issues fixed in the code base
> >>>>> (CVE-2016-6800 and CVE-2016-4462). Thanks to all who participated in
> >>>>> identifying, analysing and fixing these OFBiz security threats.
> >>>>>
> >>>>> When I look at how we communicate to our adopters that there are
> >>>>> threats
> >>>>> and how they can be mitigated [1] I believe we could and we should
> do a
> >>>>> little bit more. There we merely put a reference to the CVE [2] issue
> >>>>> (see
> >>>>> [3] for example) there and and advice to upgrade. But on that page we
> >>>>> leave
> >>>>> out any particulars on how the issue affected OFBiz and what was done
> >>>>> to
> >>>>> it. Rightly so as it is just a list of notifications.
> >>>>>
> >>>>> The details about the effect of the issue and the mitigation is in
> >>>>> commits.
> >>>>> But there is no apparent relation between the notification on [1] and
> >>>>> the
> >>>>> actual commit that mitigated. Also reporting the CVE in JIRA issues
> not
> >>>>> optimal. This leads to the fact that details don't appear in release
> >>>>> notes
> >>>>> very well.
> >>>>>
> >>>>> I believe we could and should do better. We should *always* have a
> JIRA
> >>>>> issue explaining the CVE issue and its effect on the OFBiz product,
> >>>>> have
> >>>>> it
> >>>>> enhanced with the proper tags or labels (e.g. CVE/Security), and -
> like
> >>>>> any
> >>>>> other JIRA issue - have it showing with which commit(s) it has been
> >>>>> resolved and on which branch it has been implemented.
> >>>>>
> >>>>> With a proper filter definition on JIRA we can then shorten the
> >>>>> vulnerability section in [1] and have that link to that JIRA filter
> >>>>> definition.
> >>>>>
> >>>>> What do you think?
> >>>>>
> >>>>> References:
> >>>>>
> >>>>>      - [1] http://ofbiz.apache.org/download.html
> >>>>>      - [2] CVE: Common Vulnerability and Exposure
> >>>>>      - [3] http://cve.mitre.org/cgi-bin/
> cvename.cgi?name=CVE-2016-6800
> >>>>>
> >>>>>
> >>>>> Best regards,
> >>>>>
> >>>>> Pierre Smits
> >>>>>
> >>>>> ORRTIZ.COM <http://www.orrtiz.com>
> >>>>> OFBiz based solutions & services
> >>>>>
> >>>>> OFBiz Extensions Marketplace
> >>>>> http://oem.ofbizci.net/oci-2/
> >>>>>
> >>>>>
> >>>>>
> >
>

> Well...
>
> CVEs can occur on any component (even though past issues have been related
> for most to framework components. So having a particular component just for
> CVE reference purposes would complicate matters as much as converting JIRA
> issues into sub-tasks.
>
> Applying a tag to the issue (e.g. CVE) and using a persisted filter in JIRA
> would be sufficient to link to from the download page (and elsewhere e.g.
> the 'keeping OFBiz secure' cwiki page.
>
> Best regards,
>
>
>
>
> Pierre Smits
>
> ORRTIZ.COM <http://www.orrtiz.com>
> OFBiz based solutions & services
>
> OFBiz Extensions Marketplace
> http://oem.ofbizci.net/oci-2/
>
> On Tue, Nov 29, 2016 at 2:04 PM, Jacopo Cappellato <
> [hidden email]> wrote:
>
> > Rather than using subtasks I think it would be better to use a component
> > (named CVE or similar).
> >
> > Il 29 Nov 2016 1:50 PM, "Jacques Le Roux" <[hidden email]>
> > ha
> > scritto:
> >
> > > Also it would be better if we can group all security issues in Jira.
> For
> > > that I created OFBIZ-1525, please if you create Jira security issues
> > create
> > > (or convert) them as subtasks of OFBIZ-1525
> > >
> > > Thanks
> > >
> > > Jacques
> > >
> > >
> > > Le 29/11/2016 à 11:05, Pierre Smits a écrit :
> > >
> > >> Of course, I implied this policy to be in line with
> > >> http://www.apache.org/security/
> > >>
> > >> Best regards,
> > >>
> > >> Pierre Smits
> > >>
> > >> ORRTIZ.COM <http://www.orrtiz.com>
> > >> OFBiz based solutions & services
> > >>
> > >> OFBiz Extensions Marketplace
> > >> http://oem.ofbizci.net/oci-2/
> > >>
> > >> On Tue, Nov 29, 2016 at 10:59 AM, Nicolas Malin <
> > [hidden email]
> > >> >
> > >> wrote:
> > >>
> > >> Yes I agree with Jacopo, when can create the issue only when they are
> > >>> corrected
> > >>>
> > >>> Nicolas
> > >>>
> > >>>
> > >>>
> > >>> Le 29/11/2016 à 10:55, Jacopo Cappellato a écrit :
> > >>>
> > >>> We can definitely create one Jira ticket for each CVE number with all
> > the
> > >>>> details we want and link them from the "security" section of the
> OFBiz
> > >>>> download page.
> > >>>> This was probably implied in Pierre's proposal, but I prefer to
> > >>>> explicitly
> > >>>> state here: these tickets will be created only after the CVE are
> > >>>> publicly
> > >>>> disclosed (i.e. the tickets will be created and resolved at the same
> > >>>> time).
> > >>>> The good news is that we can create now all the tickets for the CVE
> > >>>> processed so far in the history of OFBiz, in order to implement what
> > >>>> Pierre
> > >>>> has proposed here.
> > >>>>
> > >>>> Jacopo
> > >>>>
> > >>>> On Tue, Nov 29, 2016 at 10:47 AM, Pierre Smits <
> > [hidden email]>
> > >>>> wrote:
> > >>>>
> > >>>> Hi all,
> > >>>>
> > >>>>> Recently we have seen some security issues fixed in the code base
> > >>>>> (CVE-2016-6800 and CVE-2016-4462). Thanks to all who participated
> in
> > >>>>> identifying, analysing and fixing these OFBiz security threats.
> > >>>>>
> > >>>>> When I look at how we communicate to our adopters that there are
> > >>>>> threats
> > >>>>> and how they can be mitigated [1] I believe we could and we should
> > do a
> > >>>>> little bit more. There we merely put a reference to the CVE [2]
> issue
> > >>>>> (see
> > >>>>> [3] for example) there and and advice to upgrade. But on that page
> we
> > >>>>> leave
> > >>>>> out any particulars on how the issue affected OFBiz and what was
> done
> > >>>>> to
> > >>>>> it. Rightly so as it is just a list of notifications.
> > >>>>>
> > >>>>> The details about the effect of the issue and the mitigation is in
> > >>>>> commits.
> > >>>>> But there is no apparent relation between the notification on [1]
> and
> > >>>>> the
> > >>>>> actual commit that mitigated. Also reporting the CVE in JIRA issues
> > not
> > >>>>> optimal. This leads to the fact that details don't appear in
> release
> > >>>>> notes
> > >>>>> very well.
> > >>>>>
> > >>>>> I believe we could and should do better. We should *always* have a
> > JIRA
> > >>>>> issue explaining the CVE issue and its effect on the OFBiz product,
> > >>>>> have
> > >>>>> it
> > >>>>> enhanced with the proper tags or labels (e.g. CVE/Security), and -
> > like
> > >>>>> any
> > >>>>> other JIRA issue - have it showing with which commit(s) it has been
> > >>>>> resolved and on which branch it has been implemented.
> > >>>>>
> > >>>>> With a proper filter definition on JIRA we can then shorten the
> > >>>>> vulnerability section in [1] and have that link to that JIRA filter
> > >>>>> definition.
> > >>>>>
> > >>>>> What do you think?
> > >>>>>
> > >>>>> References:
> > >>>>>
> > >>>>>      - [1] http://ofbiz.apache.org/download.html
> > >>>>>      - [2] CVE: Common Vulnerability and Exposure
> > >>>>>      - [3] http://cve.mitre.org/cgi-bin/
> > cvename.cgi?name=CVE-2016-6800
> > >>>>>
> > >>>>>
> > >>>>> Best regards,
> > >>>>>
> > >>>>> Pierre Smits
> > >>>>>
> > >>>>> ORRTIZ.COM <http://www.orrtiz.com>
> > >>>>> OFBiz based solutions & services
> > >>>>>
> > >>>>> OFBiz Extensions Marketplace
> > >>>>> http://oem.ofbizci.net/oci-2/
> > >>>>>
> > >>>>>
> > >>>>>
> > >
> >
>

> Tags or components are fine to me (you can specify more than one component
> to each ticket); I agree that a tag may be more appropriate for this use
> case. My preference is just to not use subtasks.
>
> Jacopo
>
> On Tue, Nov 29, 2016 at 2:13 PM, Pierre Smits <[hidden email]>
> wrote:
>
> > Well...
> >
> > CVEs can occur on any component (even though past issues have been
> related
> > for most to framework components. So having a particular component just
> for
> > CVE reference purposes would complicate matters as much as converting
> JIRA
> > issues into sub-tasks.
> >
> > Applying a tag to the issue (e.g. CVE) and using a persisted filter in
> JIRA
> > would be sufficient to link to from the download page (and elsewhere e.g.
> > the 'keeping OFBiz secure' cwiki page.
> >
> > Best regards,
> >
> >
> >
> >
> > Pierre Smits
> >
> > ORRTIZ.COM <http://www.orrtiz.com>
> > OFBiz based solutions & services
> >
> > OFBiz Extensions Marketplace
> > http://oem.ofbizci.net/oci-2/
> >
> > On Tue, Nov 29, 2016 at 2:04 PM, Jacopo Cappellato <
> > [hidden email]> wrote:
> >
> > > Rather than using subtasks I think it would be better to use a
> component
> > > (named CVE or similar).
> > >
> > > Il 29 Nov 2016 1:50 PM, "Jacques Le Roux" <
> [hidden email]>
> > > ha
> > > scritto:
> > >
> > > > Also it would be better if we can group all security issues in Jira.
> > For
> > > > that I created OFBIZ-1525, please if you create Jira security issues
> > > create
> > > > (or convert) them as subtasks of OFBIZ-1525
> > > >
> > > > Thanks
> > > >
> > > > Jacques
> > > >
> > > >
> > > > Le 29/11/2016 à 11:05, Pierre Smits a écrit :
> > > >
> > > >> Of course, I implied this policy to be in line with
> > > >> http://www.apache.org/security/
> > > >>
> > > >> Best regards,
> > > >>
> > > >> Pierre Smits
> > > >>
> > > >> ORRTIZ.COM <http://www.orrtiz.com>
> > > >> OFBiz based solutions & services
> > > >>
> > > >> OFBiz Extensions Marketplace
> > > >> http://oem.ofbizci.net/oci-2/
> > > >>
> > > >> On Tue, Nov 29, 2016 at 10:59 AM, Nicolas Malin <
> > > [hidden email]
> > > >> >
> > > >> wrote:
> > > >>
> > > >> Yes I agree with Jacopo, when can create the issue only when they
> are
> > > >>> corrected
> > > >>>
> > > >>> Nicolas
> > > >>>
> > > >>>
> > > >>>
> > > >>> Le 29/11/2016 à 10:55, Jacopo Cappellato a écrit :
> > > >>>
> > > >>> We can definitely create one Jira ticket for each CVE number with
> all
> > > the
> > > >>>> details we want and link them from the "security" section of the
> > OFBiz
> > > >>>> download page.
> > > >>>> This was probably implied in Pierre's proposal, but I prefer to
> > > >>>> explicitly
> > > >>>> state here: these tickets will be created only after the CVE are
> > > >>>> publicly
> > > >>>> disclosed (i.e. the tickets will be created and resolved at the
> same
> > > >>>> time).
> > > >>>> The good news is that we can create now all the tickets for the
> CVE
> > > >>>> processed so far in the history of OFBiz, in order to implement
> what
> > > >>>> Pierre
> > > >>>> has proposed here.
> > > >>>>
> > > >>>> Jacopo
> > > >>>>
> > > >>>> On Tue, Nov 29, 2016 at 10:47 AM, Pierre Smits <
> > > [hidden email]>
> > > >>>> wrote:
> > > >>>>
> > > >>>> Hi all,
> > > >>>>
> > > >>>>> Recently we have seen some security issues fixed in the code base
> > > >>>>> (CVE-2016-6800 and CVE-2016-4462). Thanks to all who participated
> > in
> > > >>>>> identifying, analysing and fixing these OFBiz security threats.
> > > >>>>>
> > > >>>>> When I look at how we communicate to our adopters that there are
> > > >>>>> threats
> > > >>>>> and how they can be mitigated [1] I believe we could and we
> should
> > > do a
> > > >>>>> little bit more. There we merely put a reference to the CVE [2]
> > issue
> > > >>>>> (see
> > > >>>>> [3] for example) there and and advice to upgrade. But on that
> page
> > we
> > > >>>>> leave
> > > >>>>> out any particulars on how the issue affected OFBiz and what was
> > done
> > > >>>>> to
> > > >>>>> it. Rightly so as it is just a list of notifications.
> > > >>>>>
> > > >>>>> The details about the effect of the issue and the mitigation is
> in
> > > >>>>> commits.
> > > >>>>> But there is no apparent relation between the notification on [1]
> > and
> > > >>>>> the
> > > >>>>> actual commit that mitigated. Also reporting the CVE in JIRA
> issues
> > > not
> > > >>>>> optimal. This leads to the fact that details don't appear in
> > release
> > > >>>>> notes
> > > >>>>> very well.
> > > >>>>>
> > > >>>>> I believe we could and should do better. We should *always* have
> a
> > > JIRA
> > > >>>>> issue explaining the CVE issue and its effect on the OFBiz
> product,
> > > >>>>> have
> > > >>>>> it
> > > >>>>> enhanced with the proper tags or labels (e.g. CVE/Security), and
> -
> > > like
> > > >>>>> any
> > > >>>>> other JIRA issue - have it showing with which commit(s) it has
> been
> > > >>>>> resolved and on which branch it has been implemented.
> > > >>>>>
> > > >>>>> With a proper filter definition on JIRA we can then shorten the
> > > >>>>> vulnerability section in [1] and have that link to that JIRA
> filter
> > > >>>>> definition.
> > > >>>>>
> > > >>>>> What do you think?
> > > >>>>>
> > > >>>>> References:
> > > >>>>>
> > > >>>>>      - [1] http://ofbiz.apache.org/download.html
> > > >>>>>      - [2] CVE: Common Vulnerability and Exposure
> > > >>>>>      - [3] http://cve.mitre.org/cgi-bin/
> > > cvename.cgi?name=CVE-2016-6800
> > > >>>>>
> > > >>>>>
> > > >>>>> Best regards,
> > > >>>>>
> > > >>>>> Pierre Smits
> > > >>>>>
> > > >>>>> ORRTIZ.COM <http://www.orrtiz.com>
> > > >>>>> OFBiz based solutions & services
> > > >>>>>
> > > >>>>> OFBiz Extensions Marketplace
> > > >>>>> http://oem.ofbizci.net/oci-2/
> > > >>>>>
> > > >>>>>
> > > >>>>>
> > > >
> > >
> >
>

> Hi all,
>
> Using JIRA is a good idea, and we need to be able to find them. But a
> security issue is not a subtask and not a component. I think a tag will
> work fine.
>
> Thanks
>
> Paul
>
>
> On 30 November 2016 at 00:42, Jacopo Cappellato <
> [hidden email]> wrote:
>
>> Tags or components are fine to me (you can specify more than one component
>> to each ticket); I agree that a tag may be more appropriate for this use
>> case. My preference is just to not use subtasks.
>>
>> Jacopo
>>
>> On Tue, Nov 29, 2016 at 2:13 PM, Pierre Smits <[hidden email]>
>> wrote:
>>
>>> Well...
>>>
>>> CVEs can occur on any component (even though past issues have been
>> related
>>> for most to framework components. So having a particular component just
>> for
>>> CVE reference purposes would complicate matters as much as converting
>> JIRA
>>> issues into sub-tasks.
>>>
>>> Applying a tag to the issue (e.g. CVE) and using a persisted filter in
>> JIRA
>>> would be sufficient to link to from the download page (and elsewhere e.g.
>>> the 'keeping OFBiz secure' cwiki page.
>>>
>>> Best regards,
>>>
>>>
>>>
>>>
>>> Pierre Smits
>>>
>>> ORRTIZ.COM <http://www.orrtiz.com>
>>> OFBiz based solutions & services
>>>
>>> OFBiz Extensions Marketplace
>>> http://oem.ofbizci.net/oci-2/
>>>
>>> On Tue, Nov 29, 2016 at 2:04 PM, Jacopo Cappellato <
>>> [hidden email]> wrote:
>>>
>>>> Rather than using subtasks I think it would be better to use a
>> component
>>>> (named CVE or similar).
>>>>
>>>> Il 29 Nov 2016 1:50 PM, "Jacques Le Roux" <
>> [hidden email]>
>>>> ha
>>>> scritto:
>>>>
>>>>> Also it would be better if we can group all security issues in Jira.
>>> For
>>>>> that I created OFBIZ-1525, please if you create Jira security issues
>>>> create
>>>>> (or convert) them as subtasks of OFBIZ-1525
>>>>>
>>>>> Thanks
>>>>>
>>>>> Jacques
>>>>>
>>>>>
>>>>> Le 29/11/2016 à 11:05, Pierre Smits a écrit :
>>>>>
>>>>>> Of course, I implied this policy to be in line with
>>>>>> http://www.apache.org/security/
>>>>>>
>>>>>> Best regards,
>>>>>>
>>>>>> Pierre Smits
>>>>>>
>>>>>> ORRTIZ.COM <http://www.orrtiz.com>
>>>>>> OFBiz based solutions & services
>>>>>>
>>>>>> OFBiz Extensions Marketplace
>>>>>> http://oem.ofbizci.net/oci-2/
>>>>>>
>>>>>> On Tue, Nov 29, 2016 at 10:59 AM, Nicolas Malin <
>>>> [hidden email]
>>>>>> wrote:
>>>>>>
>>>>>> Yes I agree with Jacopo, when can create the issue only when they
>> are
>>>>>>> corrected
>>>>>>>
>>>>>>> Nicolas
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Le 29/11/2016 à 10:55, Jacopo Cappellato a écrit :
>>>>>>>
>>>>>>> We can definitely create one Jira ticket for each CVE number with
>> all
>>>> the
>>>>>>>> details we want and link them from the "security" section of the
>>> OFBiz
>>>>>>>> download page.
>>>>>>>> This was probably implied in Pierre's proposal, but I prefer to
>>>>>>>> explicitly
>>>>>>>> state here: these tickets will be created only after the CVE are
>>>>>>>> publicly
>>>>>>>> disclosed (i.e. the tickets will be created and resolved at the
>> same
>>>>>>>> time).
>>>>>>>> The good news is that we can create now all the tickets for the
>> CVE
>>>>>>>> processed so far in the history of OFBiz, in order to implement
>> what
>>>>>>>> Pierre
>>>>>>>> has proposed here.
>>>>>>>>
>>>>>>>> Jacopo
>>>>>>>>
>>>>>>>> On Tue, Nov 29, 2016 at 10:47 AM, Pierre Smits <
>>>> [hidden email]>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>> Hi all,
>>>>>>>>
>>>>>>>>> Recently we have seen some security issues fixed in the code base
>>>>>>>>> (CVE-2016-6800 and CVE-2016-4462). Thanks to all who participated
>>> in
>>>>>>>>> identifying, analysing and fixing these OFBiz security threats.
>>>>>>>>>
>>>>>>>>> When I look at how we communicate to our adopters that there are
>>>>>>>>> threats
>>>>>>>>> and how they can be mitigated [1] I believe we could and we
>> should
>>>> do a
>>>>>>>>> little bit more. There we merely put a reference to the CVE [2]
>>> issue
>>>>>>>>> (see
>>>>>>>>> [3] for example) there and and advice to upgrade. But on that
>> page
>>> we
>>>>>>>>> leave
>>>>>>>>> out any particulars on how the issue affected OFBiz and what was
>>> done
>>>>>>>>> to
>>>>>>>>> it. Rightly so as it is just a list of notifications.
>>>>>>>>>
>>>>>>>>> The details about the effect of the issue and the mitigation is
>> in
>>>>>>>>> commits.
>>>>>>>>> But there is no apparent relation between the notification on [1]
>>> and
>>>>>>>>> the
>>>>>>>>> actual commit that mitigated. Also reporting the CVE in JIRA
>> issues
>>>> not
>>>>>>>>> optimal. This leads to the fact that details don't appear in
>>> release
>>>>>>>>> notes
>>>>>>>>> very well.
>>>>>>>>>
>>>>>>>>> I believe we could and should do better. We should *always* have
>> a
>>>> JIRA
>>>>>>>>> issue explaining the CVE issue and its effect on the OFBiz
>> product,
>>>>>>>>> have
>>>>>>>>> it
>>>>>>>>> enhanced with the proper tags or labels (e.g. CVE/Security), and
>> -
>>>> like
>>>>>>>>> any
>>>>>>>>> other JIRA issue - have it showing with which commit(s) it has
>> been
>>>>>>>>> resolved and on which branch it has been implemented.
>>>>>>>>>
>>>>>>>>> With a proper filter definition on JIRA we can then shorten the
>>>>>>>>> vulnerability section in [1] and have that link to that JIRA
>> filter
>>>>>>>>> definition.
>>>>>>>>>
>>>>>>>>> What do you think?
>>>>>>>>>
>>>>>>>>> References:
>>>>>>>>>
>>>>>>>>>       - [1] http://ofbiz.apache.org/download.html
>>>>>>>>>       - [2] CVE: Common Vulnerability and Exposure
>>>>>>>>>       - [3] http://cve.mitre.org/cgi-bin/
>>>> cvename.cgi?name=CVE-2016-6800
>>>>>>>>>
>>>>>>>>> Best regards,
>>>>>>>>>
>>>>>>>>> Pierre Smits
>>>>>>>>>
>>>>>>>>> ORRTIZ.COM <http://www.orrtiz.com>
>>>>>>>>> OFBiz based solutions & services
>>>>>>>>>
>>>>>>>>> OFBiz Extensions Marketplace
>>>>>>>>> http://oem.ofbizci.net/oci-2/
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>
>

> +1 for tags
>
> Tthere are only few OFBIZ-1525 subtasks which are related to a CVE. I can add the CVE tags in them and in future we can just create tasks with the
> CVE tag
>
> Agreed?
>
> Jacques
>
>
> Le 30/11/2016 à 00:02, Paul Foxworthy a écrit :
>> Hi all,
>>
>> Using JIRA is a good idea, and we need to be able to find them. But a
>> security issue is not a subtask and not a component. I think a tag will
>> work fine.
>>
>> Thanks
>>
>> Paul
>>
>>
>> On 30 November 2016 at 00:42, Jacopo Cappellato <
>> [hidden email]> wrote:
>>
>>> Tags or components are fine to me (you can specify more than one component
>>> to each ticket); I agree that a tag may be more appropriate for this use
>>> case. My preference is just to not use subtasks.
>>>
>>> Jacopo
>>>
>>> On Tue, Nov 29, 2016 at 2:13 PM, Pierre Smits <[hidden email]>
>>> wrote:
>>>
>>>> Well...
>>>>
>>>> CVEs can occur on any component (even though past issues have been
>>> related
>>>> for most to framework components. So having a particular component just
>>> for
>>>> CVE reference purposes would complicate matters as much as converting
>>> JIRA
>>>> issues into sub-tasks.
>>>>
>>>> Applying a tag to the issue (e.g. CVE) and using a persisted filter in
>>> JIRA
>>>> would be sufficient to link to from the download page (and elsewhere e.g.
>>>> the 'keeping OFBiz secure' cwiki page.
>>>>
>>>> Best regards,
>>>>
>>>>
>>>>
>>>>
>>>> Pierre Smits
>>>>
>>>> ORRTIZ.COM <http://www.orrtiz.com>
>>>> OFBiz based solutions & services
>>>>
>>>> OFBiz Extensions Marketplace
>>>> http://oem.ofbizci.net/oci-2/
>>>>
>>>> On Tue, Nov 29, 2016 at 2:04 PM, Jacopo Cappellato <
>>>> [hidden email]> wrote:
>>>>
>>>>> Rather than using subtasks I think it would be better to use a
>>> component
>>>>> (named CVE or similar).
>>>>>
>>>>> Il 29 Nov 2016 1:50 PM, "Jacques Le Roux" <
>>> [hidden email]>
>>>>> ha
>>>>> scritto:
>>>>>
>>>>>> Also it would be better if we can group all security issues in Jira.
>>>> For
>>>>>> that I created OFBIZ-1525, please if you create Jira security issues
>>>>> create
>>>>>> (or convert) them as subtasks of OFBIZ-1525
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>> Jacques
>>>>>>
>>>>>>
>>>>>> Le 29/11/2016 à 11:05, Pierre Smits a écrit :
>>>>>>
>>>>>>> Of course, I implied this policy to be in line with
>>>>>>> http://www.apache.org/security/
>>>>>>>
>>>>>>> Best regards,
>>>>>>>
>>>>>>> Pierre Smits
>>>>>>>
>>>>>>> ORRTIZ.COM <http://www.orrtiz.com>
>>>>>>> OFBiz based solutions & services
>>>>>>>
>>>>>>> OFBiz Extensions Marketplace
>>>>>>> http://oem.ofbizci.net/oci-2/
>>>>>>>
>>>>>>> On Tue, Nov 29, 2016 at 10:59 AM, Nicolas Malin <
>>>>> [hidden email]
>>>>>>> wrote:
>>>>>>>
>>>>>>> Yes I agree with Jacopo, when can create the issue only when they
>>> are
>>>>>>>> corrected
>>>>>>>>
>>>>>>>> Nicolas
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Le 29/11/2016 à 10:55, Jacopo Cappellato a écrit :
>>>>>>>>
>>>>>>>> We can definitely create one Jira ticket for each CVE number with
>>> all
>>>>> the
>>>>>>>>> details we want and link them from the "security" section of the
>>>> OFBiz
>>>>>>>>> download page.
>>>>>>>>> This was probably implied in Pierre's proposal, but I prefer to
>>>>>>>>> explicitly
>>>>>>>>> state here: these tickets will be created only after the CVE are
>>>>>>>>> publicly
>>>>>>>>> disclosed (i.e. the tickets will be created and resolved at the
>>> same
>>>>>>>>> time).
>>>>>>>>> The good news is that we can create now all the tickets for the
>>> CVE
>>>>>>>>> processed so far in the history of OFBiz, in order to implement
>>> what
>>>>>>>>> Pierre
>>>>>>>>> has proposed here.
>>>>>>>>>
>>>>>>>>> Jacopo
>>>>>>>>>
>>>>>>>>> On Tue, Nov 29, 2016 at 10:47 AM, Pierre Smits <
>>>>> [hidden email]>
>>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>> Hi all,
>>>>>>>>>
>>>>>>>>>> Recently we have seen some security issues fixed in the code base
>>>>>>>>>> (CVE-2016-6800 and CVE-2016-4462). Thanks to all who participated
>>>> in
>>>>>>>>>> identifying, analysing and fixing these OFBiz security threats.
>>>>>>>>>>
>>>>>>>>>> When I look at how we communicate to our adopters that there are
>>>>>>>>>> threats
>>>>>>>>>> and how they can be mitigated [1] I believe we could and we
>>> should
>>>>> do a
>>>>>>>>>> little bit more. There we merely put a reference to the CVE [2]
>>>> issue
>>>>>>>>>> (see
>>>>>>>>>> [3] for example) there and and advice to upgrade. But on that
>>> page
>>>> we
>>>>>>>>>> leave
>>>>>>>>>> out any particulars on how the issue affected OFBiz and what was
>>>> done
>>>>>>>>>> to
>>>>>>>>>> it. Rightly so as it is just a list of notifications.
>>>>>>>>>>
>>>>>>>>>> The details about the effect of the issue and the mitigation is
>>> in
>>>>>>>>>> commits.
>>>>>>>>>> But there is no apparent relation between the notification on [1]
>>>> and
>>>>>>>>>> the
>>>>>>>>>> actual commit that mitigated. Also reporting the CVE in JIRA
>>> issues
>>>>> not
>>>>>>>>>> optimal. This leads to the fact that details don't appear in
>>>> release
>>>>>>>>>> notes
>>>>>>>>>> very well.
>>>>>>>>>>
>>>>>>>>>> I believe we could and should do better. We should *always* have
>>> a
>>>>> JIRA
>>>>>>>>>> issue explaining the CVE issue and its effect on the OFBiz
>>> product,
>>>>>>>>>> have
>>>>>>>>>> it
>>>>>>>>>> enhanced with the proper tags or labels (e.g. CVE/Security), and
>>> -
>>>>> like
>>>>>>>>>> any
>>>>>>>>>> other JIRA issue - have it showing with which commit(s) it has
>>> been
>>>>>>>>>> resolved and on which branch it has been implemented.
>>>>>>>>>>
>>>>>>>>>> With a proper filter definition on JIRA we can then shorten the
>>>>>>>>>> vulnerability section in [1] and have that link to that JIRA
>>> filter
>>>>>>>>>> definition.
>>>>>>>>>>
>>>>>>>>>> What do you think?
>>>>>>>>>>
>>>>>>>>>> References:
>>>>>>>>>>
>>>>>>>>>>       - [1] http://ofbiz.apache.org/download.html
>>>>>>>>>>       - [2] CVE: Common Vulnerability and Exposure
>>>>>>>>>>       - [3] http://cve.mitre.org/cgi-bin/
>>>>> cvename.cgi?name=CVE-2016-6800
>>>>>>>>>>
>>>>>>>>>> Best regards,
>>>>>>>>>>
>>>>>>>>>> Pierre Smits
>>>>>>>>>>
>>>>>>>>>> ORRTIZ.COM <http://www.orrtiz.com>
>>>>>>>>>> OFBiz based solutions & services
>>>>>>>>>>
>>>>>>>>>> OFBiz Extensions Marketplace
>>>>>>>>>> http://oem.ofbizci.net/oci-2/
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>
>>
>