View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|15280||Development||Security||public||2019-09-14 11:20||2020-01-21 14:48|
|Summary||15280: Security fix hidden until release|
|Description||It's not a security issue : it's about our way to fix security issue.|
We disclose security issue before release : then limesurvey can have 0-day bug during more than one day even with a update each minute LimeSUrvey.
I think we must find a way to avoid this.
|Steps To Reproduce||See : https://github.com/LimeSurvey/LimeSurvey/commit/973959b0566c50dd12ca62b7c84d7e2b64c4254e|
All updated LimeSurvey (via ComfortUpdate) have the issue during 7 days. https://github.com/LimeSurvey/LimeSurvey/releases/tag/3.17.14%2B190902
There are some other.
|Additional Information||I muts check how other floss tool process. But i think we must have a |
1. master_security branch (private) on github (must give money, and unusure we can have a _private branch_ only) or any other git system (own or gitlab, **maybe best solution**)
2. core dev push security fix in the private branch
3. this branch are always uptodate with master
4. just before release : the security private branch was merged with master
I want to quick speak of this on Friday … but no time (i hate Eurowings …)
|Tags||No tags attached.|
|Set to major ? All security related must be major ;)|
(14:47:54) ollehar: shnoulle: Can you start the page about https://manual.limesurvey.org/How_to_fix_a_security_issue, please?
(14:48:02) ollehar: Basics: Report private bug on mantis
(14:48:05) ollehar: CVS not needed.
|2019-09-14 11:20||DenisChenu||New Issue|
|2019-09-14 11:20||DenisChenu||Status||new => assigned|
|2019-09-14 11:20||DenisChenu||Assigned To||=> c_schmitz|
|2019-09-14 11:22||DenisChenu||Severity||minor => partial_block|
|2019-09-14 11:22||DenisChenu||Note Added: 53570|
|2020-01-21 14:46||DenisChenu||Note Added: 55405|
|2020-01-21 14:48||DenisChenu||Note Added: 55406|