|
| 1 | +--- |
| 2 | +layout: page |
| 3 | +title: Security advisories |
| 4 | +permalink: /security/ |
| 5 | +--- |
| 6 | + |
| 7 | +IdPy projects, particularly the IdPy libraries (pySAML2, pyXMLSecurity, |
| 8 | +pyeleven, oidcendpoint, and JWT-Connect-Python), are used by services around |
| 9 | +the world. IdPy has a [security incident handling process][idpy-incident-response] |
| 10 | +that applies to all IdPy projects. Security vulnerabilities reported for an |
| 11 | +IdPy project are handled as responsibly and publicly as possible, following |
| 12 | +GitHub’s guidance on managing these types of vulnerabilities. |
| 13 | + |
| 14 | + |
| 15 | +## FAQ |
| 16 | + |
| 17 | +- Are CVEs created for each security vulnerability? |
| 18 | + |
| 19 | + Yes. Each vulnerability that is reported and verified is assigned a CVE |
| 20 | + identifier. This is part of the incident-response handling process that IdPy |
| 21 | + follows. Security advisories are managed through GitHub and use GitHub as the |
| 22 | + CVE Numbering Authority (CNA). Further information on how security advisories |
| 23 | + are managed through GitHub can be found at “[About GitHub’s Security |
| 24 | + Advisories][gh-sec-advisories]”. |
| 25 | + |
| 26 | +- How is the community notified of vulnerabilities and associated patches? |
| 27 | + |
| 28 | + IdPy has multiple communication channels; the [IdPy mailing list][idpy-ml], |
| 29 | + the [IdPy slack workspace][idpy-slack] ([invitation][idpy-slack-invite]) and |
| 30 | + project-specific mailing lists. |
| 31 | + |
| 32 | + When a new vulnerability is reported and verified, a new security advisory is |
| 33 | + created on GitHub and the issue is assigned a CVE identifier. Progress on the |
| 34 | + mitigation is tracked on a private fork, where the incident-response team and |
| 35 | + developers communicate to fix the issue. |
| 36 | + |
| 37 | + When the fix is ready, a release plan is prepared and all communication |
| 38 | + channels are used to notify the community of the presence of a new issue and |
| 39 | + the expected release plan. This allows the community time to prepare for a |
| 40 | + security upgrade. (Notice that security fixes are not backported at the |
| 41 | + moment.) |
| 42 | + |
| 43 | + When the advisory is published, GitHub automatically notifies all associated |
| 44 | + projects of the published advisory. Projects that use IdPy projects as |
| 45 | + dependencies should automatically get Pull Requests by dependabot. |
| 46 | + Additionally, all communication channels are used again, to notify the |
| 47 | + community of the release of a new version of the affected software that |
| 48 | + contains the relevant fixes that mitigate the reported issue. |
| 49 | + |
| 50 | +- Is there a mailing list I can join to receive security announcements? |
| 51 | + |
| 52 | + At this moment, there is no separate list with security announcements. We |
| 53 | + announce new and upcoming releases on the idpy-discuss mailing list and the |
| 54 | + relevant project lists. These lists have more traffic than just release or |
| 55 | + security announcements. |
| 56 | + |
| 57 | + As another option, one can subscribe to notifications about new releases |
| 58 | + using the “watch” mechanism provided by GitHub. When a new release is out, it |
| 59 | + is tagged and uploaded both on pypi and GitHub. You can find information |
| 60 | + about subscribing to releases on the GitHub documentation section |
| 61 | + “[Configuring your watch settings for an individual |
| 62 | + repository][gh-watch-individual]”. |
| 63 | + |
| 64 | +- What is the best approach to mitigate an issue? |
| 65 | + |
| 66 | + Upgrade to the latest version. At this point, IdentityPython does not have |
| 67 | + the resources required to provide backports of security issues or other |
| 68 | + fixes. We urge the community to try to keep up with the latest version. The |
| 69 | + organization advocates FOSS and is open to new colaborators. Since, |
| 70 | + everything is open, users are free to backport patches on their own. |
| 71 | + |
| 72 | + |
| 73 | +## List of published security advisories |
| 74 | + |
| 75 | +- CVE-2021-21239 - PySAML2 - To be announced on 2021/01/20 |
| 76 | +- CVE-2021-21238 - PySAML2 - To be announced on 2021/01/20 |
| 77 | +- [CVE-2020-5390] - PySAML2 - Improper Verification of Cryptographic Signature |
| 78 | + |
| 79 | + |
| 80 | + [idpy-incident-response]: https://github.com/IdentityPython/Governance/blob/master/idpy-incidentresponse.md |
| 81 | + [idpy-ml]: https://lists.sunet.se/listinfo/idpy-discuss |
| 82 | + [idpy-slack]: https://identity-python.slack.com |
| 83 | + [idpy-slack-invite]: https://join.slack.com/t/identity-python/shared_invite/enQtNzEyNjU1NDI1MjUyLTM2MWI5ZGNhMTk1ZThiOTIxNWY2OTY1ODVmMWNjMzUzMTYxNTY5MzE5N2RlYjExZTIyM2MwYjBjZGE4MGVlMTM |
| 84 | + |
| 85 | + [gh-sec-advisories]: https://docs.github.com/en/github/managing-security-vulnerabilities/about-github-security-advisories |
| 86 | + [gh-watch-individual]: https://docs.github.com/en/github/managing-subscriptions-and-notifications-on-github/viewing-your-subscriptions#configuring-your-watch-settings-for-an-individual-repository |
| 87 | + |
| 88 | + [CVE-2020-5390]: https://github.com/advisories/GHSA-qf7v-8hj3-4xw7 |
0 commit comments