eZ Community » Forums » Developer » Security Advisories
expandshrink

Security Advisories

Security Advisories

Monday 18 October 2010 10:07:56 pm - 33 replies

Are there any plans to move the security advisories (currently available at https://auth.ez.no/developer/security/security_advisories) onto share.ez.no?

Saturday 03 March 2012 8:45:06 pm

Hi all,

I'll send out an e-mail to the mailing list of the community project board. I'll see if I can clear up what the status is of this subject. Please remind me here if I do not respond in say two weeks time. It should at least be touched, the subject, at our (board) bi-weekly meetings after I've mailed about it.

Regards Robin

Saturday 03 March 2012 11:42:04 pm

@Jan I personally completely agree with the need to reestablish the public security-issues list (see the 1st comment in this thread)

Having said that:

- there are no known code-injection problems in eZ. If you can reproduce any, please file a report

- eZ still has a pretty good security track record, compared to other popular open source cms

- the known-issue list has always been updated only after fixes are released - this is a basic security practice, to avoid helping script kiddies all over the world in reverse engineering issues and producing exploits

- we are not withholding security fixes for enterprise-only branches; they all get merged eventually into the CP branch

Thursday 15 March 2012 10:40:39 pm

Hmm, given this is a community, perhaps this thread could be dedicated to promoting the security vulnerabilities and fixes that the community is aware of?  Copy'n'paste from support portal or wherever?  or would that violate the Support agreement?  Nicolas?  Can the community help eZ disseminate information, if eZ is too busy kicking ass?

@Steven, totally agree - eZP is pretty rock-solid in comparison and there's a lot that can be done by developers to beef up security - disabling anonymous access to unused & certain front-end modules/views (content/browse is another good one), setting custom HTTP headers in site.ini that clear out the X-Powered-By and Server headers etc - I'd encourage you to add your tips to http://www.ezpedia.org/learning/ez_publish_security - share.ez.no and doc.ez.no aren't so hot for collaboration....yet.

Modified on Thursday 15 March 2012 10:54:54 pm by Geoff Bentley

Friday 16 March 2012 9:07:13 am

@Geoff - the ezpedia page is probably a good place.  As soon as I have some time I'll collect my thoughts and add some things.

Wednesday 21 March 2012 4:16:51 pm

Hi everyone, 

Restoring the security advisories section is now part of my top-priorities. Thanks for this feedback, and don't be misled : eZ has always been 100% open on security issues, this will not be discontinued. Trust us to be transparent & open.

Cheers !

Monday 26 March 2012 3:59:32 pm

Hi guys, 

The freshest advisories are now published, and the "Security Advisories" section restored : http://share.ez.no/community-project/security-advisories

Also please have a look at the related blog post, giving more directions on this new series of advisories : http://share.ez.no/blogs/ez/secur...tly-patch-your-ez-publish-instances2

Cheers,

Tuesday 27 March 2012 9:00:00 am

Hi Nicloas,

That's great - thanks a lot!

Is it also possible to implement the possibility for email notifications for this section?

Tuesday 27 March 2012 11:28:55 am

Quote from Eirik Alfstad Johansen :

Hi Nicloas,

That's great - thanks a lot!

Is it also possible to implement the possibility for email notifications for this section?

Would a RSS feed to the deal ? That can be easily set-up. 

Let me know,
Cheers, 

Tuesday 27 March 2012 11:54:39 am

Quote from Eirik Alfstad Johansen :

Hi Nicloas,

That's great - thanks a lot!

Is it also possible to implement the possibility for email notifications for this section?

Hi Eirik,

You can do this by visiting http://share.ez.no/notification/addtonotification/120078

Cheers,
Geoff

Tuesday 27 March 2012 12:37:15 pm

Hehe. Nice tip, Geoff. Didn't think of that.

Wednesday 28 March 2012 6:44:42 pm

Nice tip indeed.

Still, would you see a dedicated RSS feed as a useful tool ?

Cheers,

Wednesday 28 March 2012 7:13:33 pm

Speaking purely for myself, I'm curently not using any RSS reader, so it wouldn't make much use to me, but I'm sure it would be useful in general.

Thursday 29 March 2012 7:24:46 am

Quote from Nicolas Pastorino :

Nice tip indeed.

Still, would you see a dedicated RSS feed as a useful tool ?

Cheers,

Thank you for returning the security alerts section!  The eZ Publish CMS has a second to none security record which we should be proud of, the handling of security alerts is a different issue however and I'm encouraged to see it receive attention.

On the RSS feed, I previously found it useful but its not a replacement for email security alerts which are vital IMHO.

What would others think of giving partners a head start on security releases, it would give ez partners a chance to patch sites before publicly announced?

expandshrink

You must be logged in to post messages in this topic!

36 542 Users on board!

Forums menu