Zope 2

Bug #848807
Comment #11

Comment 11 for bug 848807

Revision history for this message

David Glick (davisagli) wrote on 2011-09-22: Re: [Security-response] [Bug 848807] Re: Anonymous arbitrary shell execution possible via URL

#11

On 9/22/11 10:02 AM, Martijn Pieters wrote:
> On Sep 22, 2011, at 18:46 , Tres Seaver wrote:
>>> Tres, thanks a lot for the work!
>>>
>>> Since this is such a serious vulnerability, the Plone security team
>>> would like to hold of the hotfix release a bit and do a pre-
>>> announcement. So all vendors get a chance to plan and prepare for
>>> deploying the hotfix.
>> That is exactly the reason *not* to hold off -- we should be putting out
>> the hotfix and new releases ASAP, because of it seriousness.
>>
>>> We'll do a pre-announcement of the upcoming patch, to be released on
>>> Tuesday October 4. And then we can handle the actual release of the
>>> code on that day. I can take care of the Zope-side of the hotfix
>>> release and also release proper new versions of Zope 2.12 and 2.13 at
>>> the same time.
>> You want to leave this unpatched for *two weeks*? That seem grossly
>> irresponsible to me: the Zope community *is* bigger than a set of
>> nervous Plone integrators, and deserves to get fixes for "zero day"
>> exploits out as soon as they are availble.
> This is *not* a "zero day". Alan is a member of the Plone security team,
> this bug has not been reported outside of the Zope bugtracker, and is
> thus not yet known outside of this privileged circle of Zope and Plone
> security team members. A "zero day" is a vulnerability that has been
> exploited before it is known to the vendor, this is not such a bug.
> Right now we have the luxury to formulate how we inform the community.
>
> The Plone security team has had a lot of feedback about critical flaws
> like these. Enterprise customers especially like to be able to plan a
> critical security update well in advance (up to two weeks notice even);
> a one week notice is the current compromise. We would *not* communicate
> any details about the vulnerability, other than the versions affected
> and the level of seriousness, in the initial pre-announcement.
>
> The alternative is to just throw the vulnerability and it's patch out
> there on a Tuesday. We will catch a large part of the community that is
> paying attention to security issues, but there is a much vaster group of
> Zope installations out there that remains vulnerable to this very
> exploit without immediate patching. We put those installations at risk
> the moment we issue the patch.
>
> By pre-announcing, we can reach a much larger chunk of our audience as
> the message has time to spread out, *without* putting everyone at risk
> of the vulnerability being exploited early.
+1. In the case where we have the luxury of knowing about an issue that
has only been disclosed to us, it feels more irresponsible to me to
release it without (a non-specific) warning. A release with no
pre-announcement means more people will be unable to apply the patch in
a timely manner. I would be willing to compromise on a 1-week warning
period instead of 2 weeks.
David

On 9/22/11 10:02 AM, Martijn Pieters wrote:
> On Sep 22, 2011, at 18:46 , Tres Seaver wrote:
>>> Tres, thanks a lot for the work!
>>>
>>> Since this is such a serious vulnerability, the Plone security team
>>> would like to hold of the hotfix release a bit and do a pre-
>>> announcement. So all vendors get a chance to plan and prepare for
>>> deploying the hotfix.
>> That is exactly the reason *not* to hold off -- we should be putting out
>> the hotfix and new releases ASAP, because of it seriousness.
>>
>>> We'll do a pre-announcement of the upcoming patch, to be released on
>>> Tuesday October 4. And then we can handle the actual release of the
>>> code on that day. I can take care of the Zope-side of the hotfix
>>> release and also release proper new versions of Zope 2.12 and 2.13 at
>>> the same time.
>> You want to leave this unpatched for *two weeks*?  That seem grossly
>> irresponsible to me:  the Zope community *is* bigger than a set of
>> nervous Plone integrators, and deserves to get fixes for "zero day"
>> exploits out as soon as they are availble.
> This is *not* a "zero day". Alan is a member of the Plone security team,
> this bug has not been reported outside of the Zope bugtracker, and is
> thus not yet known outside of this privileged circle of Zope and Plone
> security team members. A "zero day" is a vulnerability that has been
> exploited before it is known to the vendor, this is not such a bug.
> Right now we have the luxury to formulate how we inform the community.
>
> The Plone security team has had a lot of feedback about critical flaws
> like these. Enterprise customers especially like to be able to plan a
> critical security update well in advance (up to two weeks notice even);
> a one week notice is the current compromise. We would *not* communicate
> any details about the vulnerability, other than the versions affected
> and the level of seriousness, in the initial pre-announcement.
>
> The alternative is to just throw the vulnerability and it's patch out
> there on a Tuesday. We will catch a large part of the community that is
> paying attention to security issues, but there is a much vaster group of
> Zope installations out there that remains vulnerable to this very
> exploit without immediate patching. We put those installations at risk
> the moment we issue the patch.
>
> By pre-announcing, we can reach a much larger chunk of our audience as
> the message has time to spread out, *without* putting everyone at risk
> of the vulnerability being exploited early.
+1. In the case where we have the luxury of knowing about an issue that 
has only been disclosed to us, it feels more irresponsible to me to 
release it without (a non-specific) warning. A release with no 
pre-announcement means more people will be unable to apply the patch in 
a timely manner. I would be willing to compromise on a 1-week warning 
period instead of 2 weeks.
David