Foswiki Security Alert Process

I discovered a security issue. Now What?

Important: In case you think that you discovered a security issue that could potentially compromise Foswiki installations, please send an e-mail to the SecurityTaskTeam via the foswiki-security mailing list at mailto:foswiki-security@foswiki.org. We will follow up in a timely manner with a fix and will inform administrators before the issue gets public.

Note: You cannot subscribe to the foswiki-security mailing list. It is for the security team only. To keep yourself up to date with security announcements please subscribe to the foswiki-announce mailing list

How can I get notified of security issues?

• Please subscribe to the foswiki-announce mailing list to get updates on new Foswiki releases and Foswiki vulnerabilities in a timely manner. See MailingLists for information about Foswiki mailing lists and how to subscribe to them.

Security Alert Process

The Foswiki community is trying its best to provide a hotfix and to send SecurityAlerts to Foswiki site administrators in a timely manner.

• Someone sends an e-mail to the SecurityTaskTeam via the foswiki-security mailing list at mailto:foswiki-security@foswiki.org
• The SecurityTaskTeam triages the seriousness of the issue:
  • Severity 1 issue: The web server can be compromised
    • Example: Software can be installed and executed remotely
    • Example: User input can result in severe Denial of Service. (Swap space exhaustion and crash)
    • Responsiveness goal: Fix and alert within 24 hours
  • Severity 2 issue: The Foswiki installation is compromised
    • Example: The access control of the admin group can be circumvented
    • Responsiveness goal: Fix and alert within 48 hours
  • Severity 3 issue: Foswiki content or browser is compromised
    • Responsiveness goal: Handle as bugs report in Tasks web, no alert
• Action for Severity 1 and 2 issues:
  • Verify issue
  • Create hotfix for affected Foswiki production releases
  • Obtain CVE
  • Initial alert: Alert foswiki-announce and foswiki-discuss mailing list members
  • After 2 day grace period, avoiding weekend: Issue a public security advisory
  • Create a patched production release or a Hot Fix for the latest production release within 7 days
• Action for Priority 3 issue:
  • File a bug report in Tasks web.
  • Fix in development branch for upcoming Foswiki production release
  • Create non-CVE alert if appropriate.

Note that the security team can choose to delay the initial alert a few days if the fix is relatively easy to implement so the announcement can happen with a full patch release.

Developer generated security alerts

Severity 1 and 2 alerts

• Obtain a CVE number from Mitre using this online form: https://cveform.mitre.org/
• Create a new alert topic using SecurityAlertCVETemplate as a template in the Support web. Make sure the name is SecurityAlert-CVE-Num-ber where Num-ber is the number from Mitre.
• Make sure the new alert is protected so only the security task team and admins can read it
• When ready remove the read protection.

Severity 3 alerts

• Create a new alert topic using SecurityAlertCVETemplate as a template in the Support web. Make sure the name is SecurityAlert-<SomeName>-YYYY-MMDD.
• Make sure the new alert is protected so only the security task team and admins can read it
• When ready remove the read protection.