New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reporting serval Security issues #4437

Closed
securelayer7 opened this Issue Sep 18, 2017 · 26 comments

Comments

Projects
None yet
@ghost

ghost commented Sep 18, 2017

Hi Team,

We have some of the critical vulnerabilities to report you in the application. We have prepared the report with details of the vulnerabilities. Kindly send me the contact person email, so that I'll share the report or I can also open public tickets here in the issues. As this security issues, I do not want to post publicly.

Kindly provide us the option. Thanks

@eqyiel

This comment has been minimized.

Show comment
Hide comment
@eqyiel

eqyiel Sep 19, 2017

If no one gets back to you, could you please get in touch with Thinkmill: https://www.thinkmill.com.au/

They are the company that is behind Keystone.

eqyiel commented Sep 19, 2017

If no one gets back to you, could you please get in touch with Thinkmill: https://www.thinkmill.com.au/

They are the company that is behind Keystone.

@simonwidjaja

This comment has been minimized.

Show comment
Hide comment
@simonwidjaja

simonwidjaja Sep 19, 2017

Yes. This should NOT be ignored. And a big thanks in advance for creating and preparing a report! thumbsup

simonwidjaja commented Sep 19, 2017

Yes. This should NOT be ignored. And a big thanks in advance for creating and preparing a report! thumbsup

@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost Sep 19, 2017

Thank you for all your support. We have the report ready, but we are unable to find the responsible person email address. I'm looking into the https://www.thinkmill.com.au/ website, I do not find any security issues reporting email address

ghost commented Sep 19, 2017

Thank you for all your support. We have the report ready, but we are unable to find the responsible person email address. I'm looking into the https://www.thinkmill.com.au/ website, I do not find any security issues reporting email address

@SheaBelsky

This comment has been minimized.

Show comment
Hide comment

SheaBelsky commented Sep 20, 2017

@jstockwin

This comment has been minimized.

Show comment
Hide comment
@jstockwin

jstockwin Sep 20, 2017

Member

This needs to get to Jed, who is very busy at the moment - see this issue. Hopefully he'll get round to this when things are back on track.

Member

jstockwin commented Sep 20, 2017

This needs to get to Jed, who is very busy at the moment - see this issue. Hopefully he'll get round to this when things are back on track.

@JedWatson

This comment has been minimized.

Show comment
Hide comment
@JedWatson

JedWatson Sep 21, 2017

Member

Thanks for the bump, I've been in touch with @securelayer7 and am sorting out a secure email address for keystone so we can get the report. Just wanted to let everyone know that this is now underway.

Member

JedWatson commented Sep 21, 2017

Thanks for the bump, I've been in touch with @securelayer7 and am sorting out a secure email address for keystone so we can get the report. Just wanted to let everyone know that this is now underway.

@sandeepl337

This comment has been minimized.

Show comment
Hide comment
@sandeepl337

sandeepl337 Sep 27, 2017

Hi all,

We have reported the vulnerabilities to the @JedWatson and now we are waiting for his reply.

Thanks

sandeepl337 commented Sep 27, 2017

Hi all,

We have reported the vulnerabilities to the @JedWatson and now we are waiting for his reply.

Thanks

@VinayaSathyanarayana

This comment has been minimized.

Show comment
Hide comment
@VinayaSathyanarayana

VinayaSathyanarayana commented Oct 2, 2017

Any updates?

@sandeepl337

This comment has been minimized.

Show comment
Hide comment
@sandeepl337

sandeepl337 Oct 2, 2017

So far no update from the @JedWatson. We are still waiting for the reply and patches. If the vulnerability is patched then we will be forced to make public available, so you can prepare own patches.

Thanks

sandeepl337 commented Oct 2, 2017

So far no update from the @JedWatson. We are still waiting for the reply and patches. If the vulnerability is patched then we will be forced to make public available, so you can prepare own patches.

Thanks

@Noviny

This comment has been minimized.

Show comment
Hide comment
@Noviny

Noviny Oct 4, 2017

Member

@sandeepl337 we've asked @molomby to take over investigating this from Jed. Assuming Jed has your contact details, I'll make sure molomby gets them tomorrow.

Member

Noviny commented Oct 4, 2017

@sandeepl337 we've asked @molomby to take over investigating this from Jed. Assuming Jed has your contact details, I'll make sure molomby gets them tomorrow.

@molomby

This comment has been minimized.

Show comment
Hide comment
@molomby

molomby Oct 5, 2017

Member

Hi @securelayer7 and @sandeepl337, @JedWatson's passed your report on to me and I've been working to verify and patch the issues.

This has also started a separate conversation about how Keystone as a project can better accept and respond to security reports. The lack of clear reporting guidelines, contact details, etc. has clearly hindered the process.

We do really appreciate the effort you've put in, both to find these issues and bring them to our attention. I'll update this thread as things progress.

Member

molomby commented Oct 5, 2017

Hi @securelayer7 and @sandeepl337, @JedWatson's passed your report on to me and I've been working to verify and patch the issues.

This has also started a separate conversation about how Keystone as a project can better accept and respond to security reports. The lack of clear reporting guidelines, contact details, etc. has clearly hindered the process.

We do really appreciate the effort you've put in, both to find these issues and bring them to our attention. I'll update this thread as things progress.

@sandeepl337

This comment has been minimized.

Show comment
Hide comment
@sandeepl337

sandeepl337 Oct 5, 2017

@molomby Thank you for the response. It would be good for security researcher to report the vulnerabilities. This would be good initiative and If you face any difficulty for read the report then let me know I'll make sure you will understand the context of the vulnerability. Once you patch let me know Github updated link for the verification of patched code.

thanks

sandeepl337 commented Oct 5, 2017

@molomby Thank you for the response. It would be good for security researcher to report the vulnerabilities. This would be good initiative and If you face any difficulty for read the report then let me know I'll make sure you will understand the context of the vulnerability. Once you patch let me know Github updated link for the verification of patched code.

thanks

@tewnut

This comment has been minimized.

Show comment
Hide comment
@tewnut

tewnut Oct 7, 2017

Besides, the documentation should have a separate section for server adminstrator to follow best practices to secure keyatone apps. It should address particularly keystone specific vulnerabilities.

tewnut commented Oct 7, 2017

Besides, the documentation should have a separate section for server adminstrator to follow best practices to secure keyatone apps. It should address particularly keystone specific vulnerabilities.

@jjmpsp

This comment has been minimized.

Show comment
Hide comment
@jjmpsp

jjmpsp Oct 9, 2017

Sorry to be a pain, but can we get more information on the severity of these issues (without releasing too much information before a patch is released)? I'm currently running multiple instances of keystone for clients and need to know how I can better protect their apps. Thanks.

jjmpsp commented Oct 9, 2017

Sorry to be a pain, but can we get more information on the severity of these issues (without releasing too much information before a patch is released)? I'm currently running multiple instances of keystone for clients and need to know how I can better protect their apps. Thanks.

@sandeepl337

This comment has been minimized.

Show comment
Hide comment
@sandeepl337

sandeepl337 Oct 10, 2017

@jjmpsp do you want the changes in the report ?

sandeepl337 commented Oct 10, 2017

@jjmpsp do you want the changes in the report ?

@JedWatson

This comment has been minimized.

Show comment
Hide comment
@JedWatson

JedWatson Oct 10, 2017

Member

I just spent several hours with @molomby reviewing fixes that have been prepared for the issues @sandeepl337 reported. They are nearly ready to be released.

Our current plan is to publish two new betas later this week - one including only the patches for the security issues (so there is as small a barrier to updating as possible) and another rolling up all changes since the last beta release on master including the fixes.

We'll then publish the information from the report after a delay (probably ~4 weeks), to explain what was addressed after everybody has had a chance to upgrade.

It's challenging safely addressing vulnerabilities in open source projects, so this is our plan but if anybody has something better to propose please let us know.

Member

JedWatson commented Oct 10, 2017

I just spent several hours with @molomby reviewing fixes that have been prepared for the issues @sandeepl337 reported. They are nearly ready to be released.

Our current plan is to publish two new betas later this week - one including only the patches for the security issues (so there is as small a barrier to updating as possible) and another rolling up all changes since the last beta release on master including the fixes.

We'll then publish the information from the report after a delay (probably ~4 weeks), to explain what was addressed after everybody has had a chance to upgrade.

It's challenging safely addressing vulnerabilities in open source projects, so this is our plan but if anybody has something better to propose please let us know.

@sandeepl337

This comment has been minimized.

Show comment
Hide comment
@sandeepl337

sandeepl337 Oct 10, 2017

This sounds promising once you make the patch and before releasing let us know for re-testing of the fixed vulnerabilities.

Thanks

sandeepl337 commented Oct 10, 2017

This sounds promising once you make the patch and before releasing let us know for re-testing of the fixed vulnerabilities.

Thanks

@JedWatson

This comment has been minimized.

Show comment
Hide comment
@JedWatson

JedWatson Oct 10, 2017

Member

Will do, thanks @sandeepl337!

Member

JedWatson commented Oct 10, 2017

Will do, thanks @sandeepl337!

@molomby

This comment has been minimized.

Show comment
Hide comment
@molomby

molomby Oct 12, 2017

Member

Sorry @jjmpsp, we don't want to release any info before fixes are available but I'll ping you when they are.

As @JedWatson mentioned, the next release will contain only security fixes so should be an easy upgrade from the current v4.0.0-beta.5. If you want to prep before the update, my advice would be to test/update your apps against that version, so you can quickly switch to the forthcoming v4.0.0-beta.6.

We're on track to get the release out tomorrow afternoon AEST (UTC+11).

Member

molomby commented Oct 12, 2017

Sorry @jjmpsp, we don't want to release any info before fixes are available but I'll ping you when they are.

As @JedWatson mentioned, the next release will contain only security fixes so should be an easy upgrade from the current v4.0.0-beta.5. If you want to prep before the update, my advice would be to test/update your apps against that version, so you can quickly switch to the forthcoming v4.0.0-beta.6.

We're on track to get the release out tomorrow afternoon AEST (UTC+11).

@molomby

This comment has been minimized.

Show comment
Hide comment
@molomby

molomby Oct 16, 2017

Member

@securelayer7, @sandeepl337 -- I've shared a private repo with you guys containing fixes and will email you some details in a minute. It'd be fantastic if you could retest and OK the changes.

@JedWatson -- You'll need to publish the package when ready.

Member

molomby commented Oct 16, 2017

@securelayer7, @sandeepl337 -- I've shared a private repo with you guys containing fixes and will email you some details in a minute. It'd be fantastic if you could retest and OK the changes.

@JedWatson -- You'll need to publish the package when ready.

@sandeepl337

This comment has been minimized.

Show comment
Hide comment
@sandeepl337

sandeepl337 Oct 16, 2017

Thank you for making all the fixes. I'm looking for the code fixes.

Thanks

sandeepl337 commented Oct 16, 2017

Thank you for making all the fixes. I'm looking for the code fixes.

Thanks

@sandeepl337

This comment has been minimized.

Show comment
Hide comment
@sandeepl337

sandeepl337 Oct 16, 2017

@molomby It would be great if you can share the fix links so that I can go through one by one.

Thanks

sandeepl337 commented Oct 16, 2017

@molomby It would be great if you can share the fix links so that I can go through one by one.

Thanks

@molomby molomby referenced this issue Oct 23, 2017

Merged

Security fixes #4478

@sandeepl337

This comment has been minimized.

Show comment
Hide comment
@sandeepl337

sandeepl337 Oct 23, 2017

Thank you @molomby and @JedWatson for fixing the issue. If you need any information I'm happy to help you.

sandeepl337 commented Oct 23, 2017

Thank you @molomby and @JedWatson for fixing the issue. If you need any information I'm happy to help you.

@asliwinski

This comment has been minimized.

Show comment
Hide comment
@asliwinski

asliwinski Oct 25, 2017

@molomby @JedWatson
Please take a look at https://snyk.io/test/github/keystonejs/keystone
I didn't go through all the issues listed there, but for example the project still references the affected version of qs (4.0.0).

asliwinski commented Oct 25, 2017

@molomby @JedWatson
Please take a look at https://snyk.io/test/github/keystonejs/keystone
I didn't go through all the issues listed there, but for example the project still references the affected version of qs (4.0.0).

@molomby

This comment has been minimized.

Show comment
Hide comment
@molomby

molomby Oct 25, 2017

Member

@asliwinski Ok, thanks for the heads up, I'll check these out.

Member

molomby commented Oct 25, 2017

@asliwinski Ok, thanks for the heads up, I'll check these out.

@dani190

This comment has been minimized.

Show comment
Hide comment
@dani190

dani190 Nov 9, 2017

Any idea if this is resolved?

dani190 commented Nov 9, 2017

Any idea if this is resolved?

@Noviny Noviny closed this Feb 25, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment