Hi everyone,
this proposal is a follow up of this request for getting security announcements: Security Announcements via push?.
My understanding of the problem is that right now admins don’t have a simple way to know that an important vulnerability in their instance has been found and fixed in a recent release, before the vulnerability has been actually publicly disclosed.
This proposal is about solving this problem by creating a new dedicated mailing list for receiving announcements, and by defining a new step when releasing a version of XWiki to send information in that mailing list.
Right now release notes contain a very small piece of information regarding if it contains security fixes: only the impact of the worst vulnerability fixed in the release (see also discussions on that choice here: Indicate if there are security issues in the Release Notes)
Here I propose that we indicate a bit more info: at least, administrators need to know which version of XWiki is affected.
So the mail should indicate:
- which version of XWiki has just been released with a link to RN
- how many vulnerabilities has been fixed with the affected versions
- the CVSS vectors
I’m hesitating to propose to also indicate the CVE number since we can request it before the CVE is published: it would allow easily admins to match the received announcement whenever the actual CVE is disclosed.
I don’t have much ideas for the ML name, maybe security-announcement@xwiki.org?
Also I’m hesitating between proposing to create a close ML or an open one: I don’t think it’s a problem to have it open.
Finally if we provide all those info in this ML maybe we’d like to revise what we put in our RN to put same info, that’s probably to be discussed.
wdyt?
2 posts - 2 participants