<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-text-flowed" style="font-family: -moz-fixed;
font-size: 12px;" lang="x-western">On 10/09/2012 03:13 PM, Klaas
Freitag wrote:
<br>
<blockquote type="cite" style="color: #000000;">X-been-here-security-owncloud.com:
<a class="moz-txt-link-abbreviated"
href="mailto:security@owncloud.com">security@owncloud.com</a>
<br>
On 09.10.2012 14:48, Lukas Reschke wrote:
<br>
Hi,
<br>
<blockquote type="cite" style="color: #000000;">In the past we
had multiple serious security vulnerabilites and we
<br>
sometimes needed 2 weeks to release a new version. This is
horrible!
<br>
</blockquote>
Hmm, I am not an expert in this space, but from my former life I
know that it often took way longer to prepare security updates
for known problems in the distros, but the CVEs were very well
kept secret.
<br>
<br>
Can somebody briefly explain or point to docs on what the usual
proceeding is if somebody discovers or silently reports a
security whole to a closed list like this? Or what our idea of
an ideal process would be?
<br>
</blockquote>
<br>
Lukas has written it down somewhere. He might known the URL.
<br>
<br>
<blockquote type="cite" style="color: #000000;">
<blockquote type="cite" style="color: #000000;">Another point is
that our users are often using old versions, we should
<br>
really show a **BIG** update warning like Wordpress does. Just
check
<br>
yourself how many people use old versions:
<br>
<a class="moz-txt-link-freetext" href="http://goo.gl/u6URG">http://goo.gl/u6URG</a>
<br>
</blockquote>
Well, there are two principal ways to deal with that:
<br>
1. owncloud tells the admin that its old and offers to update
itself
<br>
2. we work with the distributors to quickly provide updates.
<br>
</blockquote>
<br>
Also, bigger companies usually go with a dev/stage/prod 3-tier
setup. They usually cannot just press an update button without
ruining things. But that should not be our primary concern. Let's
be pragmatic. For instance, Google Chrome packages (even if
installed manually) adds a repo and a cron job that pulls only the
particular repo for updates, thus making sure that the latest
version is applied. I'd like to see something like this for
ownCloud (even if optional).
<br>
<br>
<blockquote type="cite" style="color: #000000;">Probably we will
strive for 1. but have to help with 2. as well. 1. is very
dangerous and needs deep testing. So easier for us is 2.
<br>
Hmm, will it? We (the client) needs to know and consider that.
And if we apply changes here, we should also rename it to
status.txt, ie. not require php to get it.
<br>
</blockquote>
<br>
Yes, we kind of decided that over your head <span
class="moz-smiley-s1" title=":-)"></span>. The reason is that
it's quite a bad case of information disclosure. The client - in
the future, will need to authenticate first, then check the file.
We can then also use it for more elaborate client policy stuff,
since we know the user it's targeted for. It would then not be a
txt file either.
<br>
<br>
PS: Someone please set this list to list-reply...<br>
<br>
<div class="moz-txt-sig"><span class="moz-txt-tag">-- <br>
</span><a class="moz-txt-link-abbreviated"
href="http://www.owncloud.com">www.owncloud.com</a> - Your
Data, Your Cloud, Your Way!
<br>
<br>
ownCloud GmbH, GF: Markus Rex, Holger Dyroff
<br>
Schloßäckerstrasse 26a, 90443 Nürnberg, HRB 28050 (AG Nürnberg)
<br>
<br>
</div>
</div>
<br>
</body>
</html>