Home Explore Help
Sign In
OWEALs
/
curl
mirror of https://github.com/curl/curl.git
2
0
Fork 0
Files Issues 8 Wiki
Tree: 8e62f7a650
Branches Tags
curl
/
docs
/
SECURITY

SECURITY 4.0 KB
History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091 
  1.                                   _   _ ____  _
    2. 

  2.                               ___| | | |  _ \| |
    3. 

  3.                              / __| | | | |_) | |
    4. 

  4.                             | (__| |_| |  _ <| |___
    5. 

  5.                              \___|\___/|_| \_\_____|
    6. 

  6. 

  7. CURL SECURITY FOR DEVELOPERS
    8. 

  8. 

  9. This document is intended to provide guidance to curl developers on how
    10. 

  10. security vulnerabilities should be handled.
    11. 

  11. 

  12. PUBLISHING INFORMATION
    13. 

  13. 

  14. All known and public curl or libcurl related vulnerabilities are listed at
    15. 

  15. http://curl.haxx.se/docs/security.html
    16. 

  16. 

  17. Security vulnerabilities should not be entered in the project's public bug
    18. 

  18. tracker unless the necessary configuration is in place to limit access to the
    19. 

  19. issue to only the reporter and the project's security team.
    20. 

  20. 

  21. VULNERABILITY HANDLING
    22. 

  22. 

  23. The typical process for handling a new security vulnerability is as follows.
    24. 

  24. 

  25. No information should be made public about a vulnerability until it is
    26. 

  26. formally announced at the end of this process. That means, for example that a
    27. 

  27. bug tracker entry must NOT be created to track the issue since that will make
    28. 

  28. the issue public and it should not be discussed on any of the project's public
    29. 

  29. mailing lists. Also messages associated with any commits should not make
    30. 

  30. any reference to the security nature of the commit if done prior to the public
    31. 

  31. announcement.
    32. 

  32. 

  33. - The person discovering the issue, the reporter, reports the vulnerability
    34. 

  34.   privately to curl-security@haxx.se. That's an email alias that reaches a
    35. 

  35.   handful of selected and trusted people.
    36. 

  36. 

  37. - Messages that do not relate to the reporting or managing of an undisclosed
    38. 

  38.   security vulnerability in curl or libcurl are ignored and no further action
    39. 

  39.   is required.
    40. 

  40. 

  41. - A person in the security team sends an e-mail to the original reporter to
    42. 

  42.   acknowledge the report.
    43. 

  43. 

  44. - The security team investigates the report and either rejects it or accepts
    45. 

  45.   it.
    46. 

  46. 

  47. - If the report is rejected, the team writes to the reporter to explain why.
    48. 

  48. 

  49. - If the report is accepted, the team writes to the reporter to let him/her
    50. 

  50.   know it is accepted and that they are working on a fix.
    51. 

  51. 

  52. - The security team discusses the problem, works out a fix, considers the
    53. 

  53.   impact of the problem and suggests a release schedule. This discussion
    54. 

  54.   should involve the reporter as much as possible.
    55. 

  55. 

  56. - The release of the information should be "as soon as possible" and is most
    57. 

  57.   often synced with an upcoming release that contains the fix. If the
    58. 

  58.   reporter, or anyone else, thinks the next planned release is too far away
    59. 

  59.   then a separate earlier release for security reasons should be considered.
    60. 

  60. 

  61. - Write a security advisory draft about the problem that explains what the
    62. 

  62.   problem is, its impact, which versions it affects, solutions or
    63. 

  63.   work-arounds, when the release is out and make sure to credit all
    64. 

  64.   contributors properly.
    65. 

  65. 

  66. - Request a CVE number from distros@openwall.org[1] when also informing and
    67. 

  67.   preparing them for the upcoming public security vulnerability announcement -
    68. 

  68.   attach the advisory draft for information. Note that 'distros' won't accept
    69. 

  69.   an embargo longer than 19 days.
    70. 

  70. 

  71. - Update the "security advisory" with the CVE number.
    72. 

  72. 

  73. - The security team commits the fix in a private branch. The commit message
    74. 

  74.   should ideally contain the CVE number. This fix is usually also distributed
    75. 

  75.   to the 'distros' mailing list to allow them to use the fix prior to the
    76. 

  76.   public announcement.
    77. 

  77. 

  78. - At the day of the next release, the private branch is merged into the master
    79. 

  79.   branch and pushed. Once pushed, the information is accessible to the public
    80. 

  80.   and the actual release should follow suit immediately afterwards.
    81. 

  81. 

  82. - The project team creates a release that includes the fix.
    83. 

  83. 

  84. - The project team announces the release and the vulnerability to the world in
    85. 

  85.   the same manner we always announce releases. It gets sent to the
    86. 

  86.   curl-announce, curl-library and curl-users mailing lists.
    87. 

  87. 

  88. - The security web page on the web site should get the new vulernability
    89. 

  89.   mentioned.
    90. 

  90. 

  91. [1] = http://oss-security.openwall.org/wiki/mailing-lists/distros
    92.