Skip to content

nats-io/advisories

main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
CVE
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Advisories for NATS

This repository hosts public advisories, typically security advisories, related to the NATS project.

It is intended to be accessed via https://advisories.nats.io

To limit the risk of accidental early disclosure, most forms of public comment are disabled on the repo.

Please note: security folks are significantly more likely than the general population to keep JavaScript disabled in their browsers, so this website should be kept fully functional when JavaScript is disabled.

Adding an Advisory

Expect people to have notifications enabled for this repository, so that avoiding an index for a new page does not help keep something secret.

  1. Add the text file to the CVE/ directory
  2. Edit the index.md file with appropriate description
  3. Commit and push on the main branch
  4. See deployment progress at: https://github.com/nats-io/advisories/deployments/activity_log?environment=github-pages

Getting a CVE assignment

In future, let's use GitHub's ability to request a CVE as part of drafting an advisory. Getting a CVE through the formerly used process has become not expeditious.

CVEs are typically requested from MITRE as the CNA of last resort for open source projects: https://cveform.mitre.org/

Fill out enough details to get the number; be accurate, or withhold data, as appropriate. At this first stage, I usually make sure to classify the type of vulnerability and the affected version numbers, but not much more.

After the CVE has been published, we can update the text with another use of this form.

Other Publications

We create GitHub Security Advisories for any project on GitHub, to aid with ecosystem notifications. Cross-reference the GHSA advisory and the CVE in this repository. See any existing advisory for examples.

Publicising the Advisory

  1. The push to the GitHub repo, on any branch, will alert people who have watches set up, so from that moment on the public clock is ticking.
  2. Send a copy to the oss-security mailing-list, which is the main current announcement mailing-list for open source software security issues; https://oss-security.openwall.org/wiki/mailing-lists/oss-security / https://www.openwall.com/lists/oss-security/
  3. Create a GitHub security advisory; this will help downstream users get automatic notifications if they depend upon the affected software. The repository's "Security" tab, "Security advisories" section.
    Eg: https://github.com/nats-io/nats-server/security/advisories.
    You can draft an advisory ahead of time; publishing the advisory is almost irreversible.
  4. For Go vulnerabilities, file an issue to update the Go Vulnerability Database using this ticket-opening shortcut, as documented in the announcement blog-post.
  5. Notify Slack in various places: natsio #general, gophers #nats
  6. If really disastrous, consider getting a tweet tweeted from the official account.
  7. Update the official CVE registration details.

Local development

  1. Run bundle install to install the dependencies.
  2. Run bundle exec jekyll serve to serve a local site preview.

See the pages-themes GitHub repo for further details about customizing the template, layout, and CSS.

About

Advisories related to the NATS project

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published