View Issue Details

IDProjectCategoryView StatusLast Update
15280Development Securitypublic2020-01-21 14:48
ReporterDenisChenu Assigned Toc_schmitz  
PrioritynoneSeveritypartial_block 
Status assignedResolutionopen 
Product Version3.x 
Summary15280: Security fix hidden until release
Description

It's not a security issue : it's about our way to fix security issue.
We disclose security issue before release : then limesurvey can have 0-day bug during more than one day even with a update each minute LimeSUrvey.
I think we must find a way to avoid this.

Steps To Reproduce

See : https://github.com/LimeSurvey/LimeSurvey/commit/973959b0566c50dd12ca62b7c84d7e2b64c4254e
All updated LimeSurvey (via ComfortUpdate) have the issue during 7 days. https://github.com/LimeSurvey/LimeSurvey/releases/tag/3.17.14%2B190902

There are some other.

Additional Information

I muts check how other floss tool process. But i think we must have a

  1. master_security branch (private) on github (must give money, and unusure we can have a private branch only) or any other git system (own or gitlab, maybe best solution)
  2. core dev push security fix in the private branch
  3. this branch are always uptodate with master
  4. just before release : the security private branch was merged with master

I want to quick speak of this on Friday … but no time (i hate Eurowings …)

TagsNo tags attached.

Activities

DenisChenu

DenisChenu

2019-09-14 11:22

developer   ~53570

Set to major ? All security related must be major ;)

DenisChenu

DenisChenu

2020-01-21 14:46

developer   ~55405

https://wordpress.org/about/security/
https://www.drupal.org/drupal-security-team

DenisChenu

DenisChenu

2020-01-21 14:48

developer   ~55406

(14:47:54) ollehar: shnoulle: Can you start the page about https://manual.limesurvey.org/How_to_fix_a_security_issue, please?
(14:48:02) ollehar: Basics: Report private bug on mantis
(14:48:05) ollehar: CVS not needed.

Issue History

Date Modified Username Field Change
2019-09-14 11:20 DenisChenu New Issue
2019-09-14 11:20 DenisChenu Status new => assigned
2019-09-14 11:20 DenisChenu Assigned To => c_schmitz
2019-09-14 11:22 DenisChenu Severity minor => partial_block
2019-09-14 11:22 DenisChenu Note Added: 53570
2020-01-21 14:46 DenisChenu Note Added: 55405
2020-01-21 14:48 DenisChenu Note Added: 55406