-
Notifications
You must be signed in to change notification settings - Fork 18
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
1e0bab4
commit f24da3d
Showing
1 changed file
with
146 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,146 @@ | ||
| # Haskell Security Response Team - 2024 July–October report + SRT membership update | ||
|
|
||
| The Haskell Security Response Team (SRT) is a volunteer organization | ||
| within the Haskell Foundation that is building tools and processes | ||
| to aid the entire Haskell ecosystem in assessing and responding to | ||
| security risks. In particular, we maintain a [database][repo] of | ||
| security advisories that can serve as a data source for security | ||
| tooling. | ||
|
|
||
| This report details the SRT activities from July through October | ||
| \2024. We extended this reporting period by one month to include | ||
| the results of our recent Call for Volunteers. | ||
|
|
||
| [repo]: https://github.com/haskell/security-advisories | ||
|
|
||
| The SRT is: | ||
|
|
||
| - Fraser Tweedale | ||
| - Gautier Di Folco | ||
| - Lei Zhu (new!) | ||
| - Mihai Maruseac | ||
| - Montez Fitzpatrick (new!) | ||
| - Tristan de Cacqueray | ||
|
|
||
|
|
||
| ## How to contact the SRT | ||
|
|
||
| For assistance in coordinating a security response to newly | ||
| discovered, high impact vulnerabilities, contact | ||
| `[email protected]`. Due to limited resources, we can | ||
| only coordinate embargoed disclosures for high impact | ||
| vulnerabilities affecting current versions of core Haskell tools and | ||
| libraries, or in other exceptional cases. | ||
|
|
||
| You can submit lower-impact or historical vulnerabilities to the | ||
| advisory database via a pull request to our [GitHub | ||
| repository][repo]. | ||
|
|
||
| You can also contact the SRT about non-advisory/security-response | ||
| topics. We prefer public communication where possible. In most | ||
| cases, [GitHub issues][gh-new-issue] are an appropriate forum. But | ||
| the mail address is there if no other appropriate channel exists. | ||
|
|
||
| [gh-new-issue]: https://github.com/haskell/security-advisories/issues/new/choose | ||
|
|
||
|
|
||
| ## Growing the SRT | ||
|
|
||
| Following our mid-year decision to grow the SRT, José on behalf of | ||
| the SRT published a [Call for Volunteers]. Applications closed at | ||
| the end of September, with 4 applications received. Thank you to | ||
| all applicants! We accepted 2 of the proposals, having in mind the | ||
| long term sustainability of the SRT as a volunteer organisation | ||
| (i.e. we should avoid burning the willing volunteers all at once!) | ||
|
|
||
| The new members of the SRT are: | ||
|
|
||
| - **Lei Zhu**, who brings experience with web security, Linux | ||
| security, privacy regulations and threat analysis. Lei has also | ||
| contributed to HLS, vscode-haskell, and related projects, and | ||
| maintains the *array* package. | ||
|
|
||
| - **Montez Fitzpatrick** has a breadth of cybersecurity experience | ||
| across two decades. As CISO of a healthcare company, GRC is | ||
| his current focus. He has used Haskell professionally to build | ||
| tooling for cybersecurity tasks. | ||
| and is currently the CISO of a healthcare company. | ||
|
|
||
| Welcome to the team! | ||
|
|
||
| [Call for Volunteers]: https://discourse.haskell.org/t/call-for-volunteers-haskell-security-response-team-2024/10287 | ||
|
|
||
|
|
||
| ## Advisory database | ||
|
|
||
| 1 contemporary advisory was published during the reporting period. | ||
|
|
||
| 0 historical advisories were added during the reporting period. | ||
|
|
||
| 2 HSEC IDs (HSEC-2024-0004 and HSEC-2024-0005) **remain** reserved | ||
| for embargoed vulnerabilities, which will be published later. | ||
|
|
||
| Additionally, [HSEC-2024-0003] received substantive updates, because | ||
| it was discovered that the original fix was incomplete. | ||
|
|
||
| We ask community members to report any known security issues, | ||
| including historical issues, that are not yet included. | ||
|
|
||
| [HSEC-2024-0003]: https://osv.dev/vulnerability/HSEC-2024-0003 | ||
|
|
||
|
|
||
| ## `haskell.org` Apache security update | ||
|
|
||
| In early August the SRT was notified bug hunter Divya Singh | ||
| ([Dgirlwhohacks]) that the version of Apache httpd serving | ||
| `haskell.org` was vulnerable to CRLF injection. We escalated the | ||
| issue to the [Haskell Infrastructure Admins][haskell-infra], and | ||
| Gershom Bazerman promptly resolved the issue by upgrading Apache. | ||
| Thanks to Divya and Gershom for reporting and fixing the issue. | ||
|
|
||
| [Dgirlwhohacks]: https://www.linkedin.com/in/dgirlwhohacks/ | ||
| [haskell-infra]: https://github.com/haskell-infra/haskell-admins | ||
|
|
||
|
|
||
| ## *hackage-server* "Reporting Vulnerabilities" link | ||
|
|
||
| Gautier implemented a *Reporting Vulnerabilities* link on package | ||
| pages in *hackage-server* ([pull request #1292]). At the moment it | ||
| links to the `CONTRIBUTING.md` in the *haskell/security-advisories* | ||
| GitHub repository. In the future we would like to improve the | ||
| contributor experience (e.g. a web form). But this small step is a | ||
| big improvement because it makes visible to users the fact that they | ||
| *can* report security issues. | ||
|
|
||
| The change is yet to be deployed. It should be picked up in the | ||
| next deployment on `hackage.haskell.org`, whenever that may be. | ||
|
|
||
| [pull request #1292]: https://github.com/haskell/hackage-server/pull/1292 | ||
|
|
||
|
|
||
| ## Tooling updates | ||
|
|
||
| - CVSS 4.0 support is stalled. andrii (@unorsk) did significant | ||
| initial work, and Fraser is reviewing, iterating and integrating | ||
| it. CVSS 4.0 is *much* more complex than previous versions, and | ||
| parts of the specification are ambiguous. We hope to finish the | ||
| implementation and release updates around the end of year. | ||
|
|
||
| - Hécate is working on integrating security advisory data in | ||
| *flora-server* ([pull | ||
| request](https://github.com/flora-pm/flora-server/pull/762)). | ||
| They engaged the SRT for review (Gautier answered the call). | ||
|
|
||
| - Because [Flora](https://flora.pm/) indexes Haskell packages from | ||
| namespaces beyond Hackage (e.g. Cardano), there is an ask | ||
| ([#240](https://github.com/haskell/security-advisories/issues/240)) | ||
| to extend the Advisory DB data model and tooling to support | ||
| additional namespaces. We have agreed on the approach but we have | ||
| not started implementing it. | ||
|
|
||
| - Mihai has been following the work by Janus Troelsen to add Haskell | ||
| support to [Renovate](https://github.com/renovatebot/renovate), an | ||
| automated dependency update tool. | ||
| - [Feature request](https://github.com/renovatebot/renovate/issues/8187) | ||
| - [PVP versioning module discussion](https://github.com/renovatebot/renovate/discussions/31663) | ||
| - [PVP versioning scheme pull request (open)](https://github.com/renovatebot/renovate/pull/32298) |