Merge pull request #3128 from hjoliver/add-security-md-78x

Add SECURITY.md (7.8.x)
cylc · Apr 26, 2019 · bf7bd1b · bf7bd1b
2 parents cb40424 + 971876e
commit bf7bd1b
Show file tree

Hide file tree

Showing 2 changed files with 54 additions and 0 deletions.
diff --git a/CHANGES.md b/CHANGES.md
@@ -5,6 +5,21 @@ all changes see the [closed
 milestones](https://github.com/cylc/cylc-flow/milestones?state=closed) for each
 release.
 
+-------------------------------------------------------------------------------
+## SECURITY NOTE
+
+*[Jinja2 CVE-2019-8341 (High)](https://nvd.nist.gov/vuln/detail/CVE-2019-8341)
+An issue was discovered in Jinja2 2.10. The `from_string` function is prone to
+Server Side Template Injection (SSTI) where it takes the "source" parameter as
+a template object, renders it, and then returns it. The attacker can exploit it
+with `{{INJECTION COMMANDS}}` in a URI*
+
+- cylc-7 (7.8.x branch, written in Python 2) has a bundled copy of Jinja2 2.10
+that cannot be updated because the new Jinja2 requires Python 3. However **this
+CVE does not impact cylc-7 because Cylc workflow definitions are not web
+pages**.
+- cylc-8 (master branch, written in Python 3) does not bundle Jinja2, and uses the fixed version 2.10.1.
+
 -------------------------------------------------------------------------------
 ## __cylc-7.8.1 (2019-01-25)__
 

diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,39 @@
+# Security Policies and Procedures
+
+This document outlines security procedures and general policies for the Cylc
+project.
+
+  * [Reporting a Bug](#reporting-a-bug)
+  * [Disclosure Policy](#disclosure-policy)
+  * [Comments on this Policy](#comments-on-this-policy)
+
+## Reporting a Bug
+
+The Cylc maintainers take security bugs seriously. Thank you for improving the
+security of Cylc. We appreciate your efforts and responsible disclosure and
+will make every effort to acknowledge your contributions.
+
+Please report security bugs by sending an email to the lead Cylc maintainers,
+[Hilary Oliver](mailto:hilary.oliver@niwa.co.nz) and [Matt
+Shin](matthew.shin@metoffice.gov.uk). If a fix is needed, progress will be
+recorded on Cylc repository Issue page on GitHub, and resulting new releases
+will be announced on the Cylc [mail forum](mailto:cylc@googlegroups.com). 
+
+Report security bugs in third-party modules to the person or team maintaining
+the module.
+
+## Disclosure Policy
+
+When the Cylc maintainers receive a security bug report, they will assign it to
+a primary handler. This person will coordinate the fix and release process as
+follows:
+
+  * Confirm the problem and determine the affected versions.
+  * Audit code to find any potential similar problems.
+  * Prepare fixes for all releases still under maintenance. These fixes will be
+    released as fast as possible.
+
+## Comments on this Policy
+
+If you have suggestions on how this process could be improved please submit a
+pull request.