From f95651dc484a0137d3941ec04e85eac2d1c13e2a Mon Sep 17 00:00:00 2001 From: Hilary James Oliver Date: Fri, 26 Apr 2019 16:50:39 +1200 Subject: [PATCH 1/4] Added SECURITY.md --- SECURITY.md | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000000..5907d380875 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,53 @@ +# Security Policies and Procedures + +This document outlines security procedures and general policies for the Cylc +project. + + * [Reporting a Bug](#reporting-a-bug) + * [Disclosure Policy](#disclosure-policy) + * [Comments on this Policy](#comments-on-this-policy) + * [Current Alerts](#current-alerts) + +## Reporting a Bug + +The Cylc team take security bugs seriously. Thank you for improving the +security of Cylc. We appreciate your efforts and responsible disclosure and +will make every effort to acknowledge your contributions. + +Report security bugs by sending an email to the [Cylc +Forum](mailto:cylc@googlegroups.com) or by posting a [Cylc repository +Issue](https://github.com/cylc/cylc-flow/issues). Project maintainers will +endeavor to respond within 48 hours. Progress toward a fix will be recorded on +the Issue page, and resulting new releases will be announced on the mail forum. + +Report security bugs in third-party modules to the person or team maintaining +the module. + +## Disclosure Policy + +When the team receives a security bug report, they will assign it to a primary +handler. This person will coordinate the fix and release process as follows: + + * Confirm the problem and determine the affected versions. + * Audit code to find any potential similar problems. + * Prepare fixes for all releases still under maintenance. These fixes will be + released as fast as possible. + +## Comments on this Policy + +If you have suggestions on how this process could be improved please submit a +pull request. + +## Current Alerts + +*[Jinja2 CVE-2019-8341 (High)](https://nvd.nist.gov/vuln/detail/CVE-2019-8341) +An issue was discovered in Jinja2 2.10. The `from_string` function is prone to +Server Side Template Injection (SSTI) where it takes the "source" parameter as +a template object, renders it, and then returns it. The attacker can exploit it +with `{{INJECTION COMMANDS}}` in a URI* + +- cylc-7 (7.8.x branch, written in Python 2) has a bundled copy of Jinja2 2.10 +that cannot be updated because the new Jinja2 requires Python 3. However **this +CVE does not impact cylc-7 because Cylc workflow definitions are not web +pages**. +- cylc-8 (master branch, written in Python 3) does not bundle Jinja2. From 076bfe6f272ac9b26b4cf4241a32a7de4deedcdd Mon Sep 17 00:00:00 2001 From: Hilary James Oliver Date: Fri, 26 Apr 2019 23:40:49 +1200 Subject: [PATCH 2/4] Tweak after review feedback. --- SECURITY.md | 32 +++++++++----------------------- 1 file changed, 9 insertions(+), 23 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 5907d380875..fdaabd6c082 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -6,27 +6,27 @@ project. * [Reporting a Bug](#reporting-a-bug) * [Disclosure Policy](#disclosure-policy) * [Comments on this Policy](#comments-on-this-policy) - * [Current Alerts](#current-alerts) ## Reporting a Bug -The Cylc team take security bugs seriously. Thank you for improving the +The Cylc maintainers take security bugs seriously. Thank you for improving the security of Cylc. We appreciate your efforts and responsible disclosure and will make every effort to acknowledge your contributions. -Report security bugs by sending an email to the [Cylc -Forum](mailto:cylc@googlegroups.com) or by posting a [Cylc repository -Issue](https://github.com/cylc/cylc-flow/issues). Project maintainers will -endeavor to respond within 48 hours. Progress toward a fix will be recorded on -the Issue page, and resulting new releases will be announced on the mail forum. +Please report security bugs by sending an email to the lead Cylc maintainers, +[Hilary Oliver](mailto:hilary.oliver@niwa.co.nz) and [Matt +Shin](matthew.shin@metoffice.gov.uk). If a fix is needed, progress will be +recorded on Cylc repository Issue page on GitHub, and resulting new releases +will be announced on the Cylc [mail forum](mailto:cylc@googlegroups.com). Report security bugs in third-party modules to the person or team maintaining the module. ## Disclosure Policy -When the team receives a security bug report, they will assign it to a primary -handler. This person will coordinate the fix and release process as follows: +When the Cylc maintainers receive a security bug report, they will assign it to +a primary handler. This person will coordinate the fix and release process as +follows: * Confirm the problem and determine the affected versions. * Audit code to find any potential similar problems. @@ -37,17 +37,3 @@ handler. This person will coordinate the fix and release process as follows: If you have suggestions on how this process could be improved please submit a pull request. - -## Current Alerts - -*[Jinja2 CVE-2019-8341 (High)](https://nvd.nist.gov/vuln/detail/CVE-2019-8341) -An issue was discovered in Jinja2 2.10. The `from_string` function is prone to -Server Side Template Injection (SSTI) where it takes the "source" parameter as -a template object, renders it, and then returns it. The attacker can exploit it -with `{{INJECTION COMMANDS}}` in a URI* - -- cylc-7 (7.8.x branch, written in Python 2) has a bundled copy of Jinja2 2.10 -that cannot be updated because the new Jinja2 requires Python 3. However **this -CVE does not impact cylc-7 because Cylc workflow definitions are not web -pages**. -- cylc-8 (master branch, written in Python 3) does not bundle Jinja2. From 7ce516c397d3b4a3f34bd3ca26fec8b891425feb Mon Sep 17 00:00:00 2001 From: Hilary James Oliver Date: Fri, 26 Apr 2019 23:42:20 +1200 Subject: [PATCH 3/4] Add Jinja2 CVE note to change log. --- CHANGES.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/CHANGES.md b/CHANGES.md index 1c2dee3d48b..6a1da823925 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -5,6 +5,21 @@ all changes see the [closed milestones](https://github.com/cylc/cylc/milestones?state=closed) for each release. +------------------------------------------------------------------------------- +## SECURITY NOTE + +*[Jinja2 CVE-2019-8341 (High)](https://nvd.nist.gov/vuln/detail/CVE-2019-8341) +An issue was discovered in Jinja2 2.10. The `from_string` function is prone to +Server Side Template Injection (SSTI) where it takes the "source" parameter as +a template object, renders it, and then returns it. The attacker can exploit it +with `{{INJECTION COMMANDS}}` in a URI* + +- cylc-7 (7.8.x branch, written in Python 2) has a bundled copy of Jinja2 2.10 +that cannot be updated because the new Jinja2 requires Python 3. However **this +CVE does not impact cylc-7 because Cylc workflow definitions are not web +pages**. +- cylc-8 (master branch, written in Python 3) does not bundle Jinja2. + ------------------------------------------------------------------------------- ## __cylc-7.8.1 (2019-01-25)__ From 971876ec8b2aeb2e4352994ca6fd6551ba4ac88f Mon Sep 17 00:00:00 2001 From: Hilary James Oliver Date: Sat, 27 Apr 2019 00:26:37 +1200 Subject: [PATCH 4/4] Tweak change log. --- CHANGES.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGES.md b/CHANGES.md index 6a1da823925..3914472e3f0 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -18,7 +18,7 @@ with `{{INJECTION COMMANDS}}` in a URI* that cannot be updated because the new Jinja2 requires Python 3. However **this CVE does not impact cylc-7 because Cylc workflow definitions are not web pages**. -- cylc-8 (master branch, written in Python 3) does not bundle Jinja2. +- cylc-8 (master branch, written in Python 3) does not bundle Jinja2, and uses the fixed version 2.10.1. ------------------------------------------------------------------------------- ## __cylc-7.8.1 (2019-01-25)__