Important defect
Harry Kaplanian
(25 Sep 2019 08:51 EDT)
|
Re: Important defect
Stephen Pampell
(25 Sep 2019 09:15 EDT)
|
RE: Important defect
Craig McNally
(25 Sep 2019 09:49 EDT)
|
Re: Important defect
Brandon Tharp
(25 Sep 2019 09:50 EDT)
|
Re: Important defect
Hongwei Ji
(25 Sep 2019 09:53 EDT)
|
Re: Important defect
Stephen Pampell
(25 Sep 2019 10:02 EDT)
|
Re: Important defect
Peter Murray
(25 Sep 2019 09:50 EDT)
|
Re: Important defect
Harry Kaplanian
(25 Sep 2019 10:03 EDT)
|
Re: Important defect
Ian Walls
(25 Sep 2019 10:24 EDT)
|
Re: Important defect
Harry Kaplanian
(25 Sep 2019 11:02 EDT)
|
Re: Important defect
Peter Murray
(25 Sep 2019 11:05 EDT)
|
Re: Important defect
Robert Douglas
(25 Sep 2019 11:17 EDT)
|
Re: Important defect
Peter Murray
(25 Sep 2019 11:25 EDT)
|
Re: Important defect
Robert Douglas
(25 Sep 2019 11:26 EDT)
|
Re: Important defect
Stephen Pampell
(25 Sep 2019 11:40 EDT)
|
Re: Important defect
Ian Walls
(25 Sep 2019 11:46 EDT)
|
Re: Important defect
Wayne Schneider
(25 Sep 2019 12:14 EDT)
|
Re: Important defect
Stephen Pampell
(25 Sep 2019 12:18 EDT)
|
Re: Important defect
Ian Walls
(25 Sep 2019 12:24 EDT)
|
Re: Important defect
Tod Olson
(25 Sep 2019 12:27 EDT)
|
Re: Important defect
Harry Kaplanian
(25 Sep 2019 12:34 EDT)
|
Antw: Re: Important defect
Ingolf Kuss
(25 Sep 2019 12:38 EDT)
|
Re: Important defect
Wayne Schneider
(25 Sep 2019 12:34 EDT)
|
Re: Important defect Drexl, Johannes (25 Sep 2019 12:27 EDT)
|
As far as I am aware security issues reported by a member of the community stay private between the core dev team and said member until the issue is investigated, given a CVE, patched and most likely rolled out in production environments (say, about a week from delivery of the patch). Afterwards the issue is moved to the public. At least that's how I understood the normal proceedings for example with Debian, Apache, mariadb and others. -- Viele Grüße Jo -------------- Drexl Johannes Leibniz-Rechenzentrum der Bayerischen Akademie der Wissenschaften Boltzmannstraße 1 85748 Garching Benutzersekretariat-Tel.: 089-35831-8000 Servicedesk-Tel.: 089-35831-8800 Am Mittwoch, den 25.09.2019, 11:13 -0500 schrieb Wayne Schneider: > It does sound like the technical council has already been asked to > address this. I believe the TC has strong representation from both > "hosted" and "self-hosting" community members, doesn't it? I think > this is the first "0-day" potential exploit that has been reported, > so perhaps we should step back a little bit and work with the > community to come up with a solid set of policies and procedures > before jumping to the conclusion that anyone is trying to hide > information to the advantage of hosting providers. > > Are there other examples of 0-day exploit reporting policies from > other OSS communities that might serve as useful models? That might > be something we could look at as a SIG, to provide input to the tech > council. > > wayne > > On Wed, Sep 25, 2019 at 10:46 AM Ian Walls <ian@bywatersolutions.com> > wrote: > > If we want to protect live sites from exploits of 0-days before > > they can be patched, I think we're better off adjusting our > > critical bug reporting procedures than locking down access to the > > report of the problem to a curated set of users. > > > > Perhaps we keep the bug restricted to a trusted set of users until > > it's fixed, then once a fix is in place, we notify the community at > > large and make the issue open at that point? We'd need to make > > maintenance of this list of trusted users something the community > > can agree to, and make membership to it accessible. > > > > > > Ian > > > > On Wed, Sep 25, 2019 at 11:40 AM Stephen Pampell < > > spampell@library.tamu.edu> wrote: > > > The instances of FOLIO running in production are not the only > > > ones exposed to the internet. I believe it to be unethical to > > > allow those institutions (such as Texas A&M) to be kept in the > > > dark while hosted instances get “fixed”. This is not how an OSS > > > community works. > > > > > > There needs to be a process by which we notify the community of > > > security problems. And it can’t be one where we have 2 classes of > > > organizations: one where you run on hosted instances and get > > > patched immediately, and one where you self-host and get patches > > > once the hosted instances are patched. > > > > > > Stephen Pampell | Systems Administrator IV > > > Digital Initiatives | University Libraries > > > > > > Tel. 979.458.5581 | Fax 979.845.6238 > > > > > > > On Sep 25, 2019, at 10:26 AM, Robert Douglas < > > > > rld244@cornell.edu> wrote: > > > > > > > > Ok thanks Peter. > > > > > > > > From: <sysops-sig@ole-lists.openlibraryfoundation.org> on > > > > behalf of Peter Murray <peter@indexdata.com> > > > > Reply-To: "sysops-sig@ole-lists.openlibraryfoundation.org" < > > > > sysops-sig@ole-lists.openlibraryfoundation.org> > > > > Date: Wednesday, September 25, 2019 at 11:25 AM > > > > To: "sysops-sig@ole-lists.openlibraryfoundation.org" < > > > > sysops-sig@ole-lists.openlibraryfoundation.org> > > > > Subject: Re: Important defect > > > > > > > > I can't think of a way of summarizing it without giving away > > > > the exploit. Given that we have a library in production now, I > > > > think it is prudent to wait until the issue is fully addressed. > > > > > > > > > > > > Peter > > > > > > > > -- > > > > Peter Murray > > > > Open Source Community Advocate > > > > Index Data, LLC > > > > On Sep 25, 2019, 11:17 AM -0400, Robert Douglas < > > > > rld244@cornell.edu>, wrote: > > > > > > > > > Is there a description of the issue outside of Jira we can > > > > > see? I’m not seeing it in this thread. > > > > > > > > > > Thanks, > > > > > Robbie > > > > > > > > > > From: <sysops-sig@ole-lists.openlibraryfoundation.org> on > > > > > behalf of Peter Murray <peter@indexdata.com> > > > > > Reply-To: "sysops-sig@ole-lists.openlibraryfoundation.org" < > > > > > sysops-sig@ole-lists.openlibraryfoundation.org> > > > > > Date: Wednesday, September 25, 2019 at 11:06 AM > > > > > To: "sysops-sig@ole-lists.openlibraryfoundation.org" < > > > > > sysops-sig@ole-lists.openlibraryfoundation.org>, " > > > > > sysops-sig@ole-lists.openlibraryfoundation.org" < > > > > > sysops-sig@ole-lists.openlibraryfoundation.org> > > > > > Subject: Re: Important defect > > > > > > > > > > Let's bounce this through Technical Council, too, to get a > > > > > broader agreement. I just mentioned it on the TC call. > > > > > > > > > > > > > > > Peter > > > > > > > > > > -- > > > > > Peter Murray > > > > > Open Source Community Advocate > > > > > Index Data, LLC > > > > > On Sep 25, 2019, 11:02 AM -0400, Harry Kaplanian < > > > > > hkaplanian@ebsco.com>, wrote: > > > > > > > > > > > That is the concern. But, I still believe this this group > > > > > > must know. > > > > > > I’m compiling a list of people in Sys-Ops that should be in > > > > > > the “group” now… > > > > > > > > > > > > From: <sysops-sig@ole-lists.openlibraryfoundation.org> on > > > > > > behalf of Ian Walls <ian@bywatersolutions.com> > > > > > > Reply-To: "sysops-sig@ole-lists.openlibraryfoundation.org" > > > > > > <sysops-sig@ole-lists.openlibraryfoundation.org> > > > > > > Date: Wednesday, September 25, 2019 at 10:25 AM > > > > > > To: "sysops-sig@ole-lists.openlibraryfoundation.org" < > > > > > > sysops-sig@ole-lists.openlibraryfoundation.org> > > > > > > Subject: Re: Important defect > > > > > > > > > > > > CAUTION: External E-mail > > > > > > > > > > > > Is the concern that, if we report 0-day flaws in JIRA > > > > > > tickets, bad actors can come along and make exploits before > > > > > > our community can react? > > > > > > > > > > > > On Wed, Sep 25, 2019 at 10:03 AM Harry Kaplanian < > > > > > > hkaplanian@ebsco.com> wrote: > > > > > > > Peter, > > > > > > > we need a security level that includes the Sys-Ops group > > > > > > > since they are hosting and testing with possibly real > > > > > > > data at this point in time. In the future as they host > > > > > > > live, it will become critical that this group has access > > > > > > > to this data so they can take appropriate actions when > > > > > > > needed. > > > > > > > Who can create this group? > > > > > > > > > > > > > > From: <sysops-sig@ole-lists.openlibraryfoundation.org> on > > > > > > > behalf of Peter Murray <peter@indexdata.com> > > > > > > > Reply-To: "sysops-sig@ole-lists.openlibraryfoundation.org > > > > > > > " <sysops-sig@ole-lists.openlibraryfoundation.org> > > > > > > > Date: Wednesday, September 25, 2019 at 9:51 AM > > > > > > > To: "sysops-sig@ole-lists.openlibraryfoundation.org" < > > > > > > > sysops-sig@ole-lists.openlibraryfoundation.org> > > > > > > > Subject: Re: Important defect > > > > > > > > > > > > > > CAUTION: External E-mail > > > > > > > > > > > > > > It is set to a Jira security level of "FOLIO Core Team", > > > > > > > so that may be limiting who can see it. > > > > > > > > > > > > > > > > > > > > > Peter > > > > > > > > > > > > > > -- > > > > > > > Peter Murray > > > > > > > Open Source Community Advocate > > > > > > > Index Data, LLC > > > > > > > On Sep 25, 2019, 9:15 AM -0400, Stephen Pampell < > > > > > > > spampell@library.tamu.edu>, wrote: > > > > > > > > > > > > > > > Interesting, I don’t have permission to view either of > > > > > > > > those issues. > > > > > > > > > > > > > > > > Stephen Pampell | Systems Administrator IV > > > > > > > > Digital Initiatives | University Libraries > > > > > > > > > > > > > > > > Tel. 979.458.5581 | Fax 979.845.6238 > > > > > > > > > > > > > > > > > > > > > > > > > On Sep 25, 2019, at 7:51 AM, Harry Kaplanian < > > > > > > > > > hkaplanian@EBSCO.COM> wrote: > > > > > > > > > > > > > > > > > > Hello Sys-Ops SIG, > > > > > > > > > I’m sending this to the group as I know some of you > > > > > > > > > are hosting and testing FOLIO instances and there is > > > > > > > > > a chance you might be loading and using real user > > > > > > > > > data. > > > > > > > > > Yesterday, during bug fest, a rather critical defect > > > > > > > > > was found. Please see: > > > > > > > > > https://issues.folio.org/browse/FOLIO-2281 > > > > > > > > > > > > > > > > > > The original posting is located here: > > > > > > > > > https://issues.folio.org/browse/MODAT-52 > > > > > > > > > > > > > > > > > > > > > > > > > > > The good news is that a fix was deployed this morning > > > > > > > > > and testing is ongoing. > > > > > > > > > Just in case any of you need to take precautions… > > > > > > > > > > > > > > > > > > Harry > > > > > > > > > > > > > > > > > > --------------------------------------------------- > > > > > > > > > --- > > > > > > > > > You received this message because you are subscribed > > > > > > > > > to OLE Mailing List > > > > > > > > > "sysops-sig". > > > > > > > > > To unsubscribe from this list and stop receiving > > > > > > > > > emails from it, follow > > > > > > > > > this link: http://archives.simplelists.com. > > > > > > > > > To post to this group, send email to > > > > > > > > > sysops-sig@ole-lists.openlibraryfoundation.org > > > > > > > > > <mailto: > > > > > > > > > sysops-sig@ole-lists.openlibraryfoundation.org>. > > > > > > > > > Visit this group at > > > > > > > > > https://ole-lists.openlibraryfoundation.org<https://ole-lists.openlibraryfoundation.org> > > > > > > > > > . > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------ > > > > > > > > You received this message because you are subscribed to > > > > > > > > OLE Mailing List > > > > > > > > "sysops-sig". > > > > > > > > To unsubscribe from this list and stop receiving emails > > > > > > > > from it, follow > > > > > > > > this link: http://archives.simplelists.com. > > > > > > > > To post to this group, send email to > > > > > > > > sysops-sig@ole-lists.openlibraryfoundation.org > > > > > > > > <mailto:sysops-sig@ole-lists.openlibraryfoundation.org> > > > > > > > > . > > > > > > > > Visit this group at > > > > > > > > https://ole-lists.openlibraryfoundation.org<https://ole-lists.openlibraryfoundation.org> > > > > > > > > . > > > > > > > > > > > > > > ------------------------------------------------------ > > > > > > > You received this message because you are subscribed to > > > > > > > OLE Mailing List > > > > > > > "sysops-sig". > > > > > > > To unsubscribe from this list and stop receiving emails > > > > > > > from it, follow > > > > > > > this link: http://archives.simplelists.com. > > > > > > > To post to this group, send email to > > > > > > > sysops-sig@ole-lists.openlibraryfoundation.org > > > > > > > <mailto:sysops-sig@ole-lists.openlibraryfoundation.org>. > > > > > > > Visit this group at > > > > > > > https://ole-lists.openlibraryfoundation.org<https://ole-lists.openlibraryfoundation.org> > > > > > > > . > > > > > > > ------------------------------------------------------ > > > > > > > You received this message because you are subscribed to > > > > > > > OLE Mailing List > > > > > > > "sysops-sig". > > > > > > > To unsubscribe from this list and stop receiving emails > > > > > > > from it, follow > > > > > > > this link: http://archives.simplelists.com. > > > > > > > To post to this group, send email to > > > > > > > sysops-sig@ole-lists.openlibraryfoundation.org > > > > > > > <mailto:sysops-sig@ole-lists.openlibraryfoundation.org>. > > > > > > > Visit this group at > > > > > > > https://ole-lists.openlibraryfoundation.org<https://ole-lists.openlibraryfoundation.org> > > > > > > > . > > > > > > > > > > > > > > > > > > -- > > > > > > Ian Walls > > > > > > FOLIO Implementation Lead > > > > > > ByWater Solutions > > > > > > Phone: (888) 900-8944 > > > > > > pronouns: (he/him/his) > > > > > > timezone: Eastern > > > > > > > > > > > > <> > > > > > > ------------------------------------------------------ > > > > > > You received this message because you are subscribed to OLE > > > > > > Mailing List > > > > > > "sysops-sig". > > > > > > To unsubscribe from this list and stop receiving emails > > > > > > from it, follow > > > > > > this link: http://archives.simplelists.com. > > > > > > To post to this group, send email to > > > > > > sysops-sig@ole-lists.openlibraryfoundation.org > > > > > > <mailto:sysops-sig@ole-lists.openlibraryfoundation.org>. > > > > > > Visit this group at > > > > > > https://ole-lists.openlibraryfoundation.org<https://ole-lists.openlibraryfoundation.org> > > > > > > . > > > > > > ------------------------------------------------------ > > > > > > You received this message because you are subscribed to OLE > > > > > > Mailing List > > > > > > "sysops-sig". > > > > > > To unsubscribe from this list and stop receiving emails > > > > > > from it, follow > > > > > > this link: http://archives.simplelists.com. > > > > > > To post to this group, send email to > > > > > > sysops-sig@ole-lists.openlibraryfoundation.org > > > > > > <mailto:sysops-sig@ole-lists.openlibraryfoundation.org>. > > > > > > Visit this group at > > > > > > https://ole-lists.openlibraryfoundation.org<https://ole-lists.openlibraryfoundation.org> > > > > > > . > > > > > > > > > > ------------------------------------------------------ > > > > > You received this message because you are subscribed to OLE > > > > > Mailing List > > > > > "sysops-sig". > > > > > To unsubscribe from this list and stop receiving emails from > > > > > it, follow > > > > > this link: http://archives.simplelists.com. > > > > > To post to this group, send email to > > > > > sysops-sig@ole-lists.openlibraryfoundation.org > > > > > <mailto:sysops-sig@ole-lists.openlibraryfoundation.org>. > > > > > Visit this group at > > > > > https://ole-lists.openlibraryfoundation.org<https://ole-lists.openlibraryfoundation.org> > > > > > . > > > > > ------------------------------------------------------ > > > > > You received this message because you are subscribed to OLE > > > > > Mailing List > > > > > "sysops-sig". > > > > > To unsubscribe from this list and stop receiving emails from > > > > > it, follow > > > > > this link: http://archives.simplelists.com. > > > > > To post to this group, send email to > > > > > sysops-sig@ole-lists.openlibraryfoundation.org > > > > > <mailto:sysops-sig@ole-lists.openlibraryfoundation.org>. > > > > > Visit this group at > > > > > https://ole-lists.openlibraryfoundation.org<https://ole-lists.openlibraryfoundation.org> > > > > > . > > > > > > > > ------------------------------------------------------ > > > > You received this message because you are subscribed to OLE > > > > Mailing List > > > > "sysops-sig". > > > > To unsubscribe from this list and stop receiving emails from > > > > it, follow > > > > this link: http://archives.simplelists.com. > > > > To post to this group, send email to > > > > sysops-sig@ole-lists.openlibraryfoundation.org > > > > <mailto:sysops-sig@ole-lists.openlibraryfoundation.org>. > > > > Visit this group at > > > > https://ole-lists.openlibraryfoundation.org<https://ole-lists.openlibraryfoundation.org> > > > > . > > > > ------------------------------------------------------ > > > > You received this message because you are subscribed to OLE > > > > Mailing List > > > > "sysops-sig". > > > > To unsubscribe from this list and stop receiving emails from > > > > it, follow > > > > this link: http://archives.simplelists.com. > > > > To post to this group, send email to > > > > sysops-sig@ole-lists.openlibraryfoundation.org > > > > <mailto:sysops-sig@ole-lists.openlibraryfoundation.org>. > > > > Visit this group at > > > > https://ole-lists.openlibraryfoundation.org<https://ole-lists.openlibraryfoundation.org> > > > > . > > > > > > ------------------------------------------------------ > > > You received this message because you are subscribed to OLE > > > Mailing List > > > "sysops-sig". > > > To unsubscribe from this list and stop receiving emails from it, > > > follow > > > this link: http://archives.simplelists.com. > > > To post to this group, send email to > > > sysops-sig@ole-lists.openlibraryfoundation.org > > > <mailto:sysops-sig@ole-lists.openlibraryfoundation.org>. > > > Visit this group at > > > https://ole-lists.openlibraryfoundation.org<https://ole-lists.openlibraryfoundation.org> > > > . > > > >