search

FOGProject / fogproject

An open source computer cloning & management system
https://fogproject.org
GNU General Public License v3.0
1.1k stars 221 forks source link

New release? #600

Closed Neustradamus closed 1 month ago

Neustradamus commented 1 month ago

Dear @FOGProject team, @Sebastian-Roth, @mastacontrola,

There are several vulnerabilities in 1.5.10, it is time to create a 1.5.11 (without the problem in original 1.5.10 version tag):

Normally an announcement is done when the problem is solved (with a new release version).

Can you create quickly?

Thanks in advance.

Linked to:

mastacontrola commented 1 month ago

This isn't the purpose of issues and we will create a new release when and as we can.

Yes we're aware of security issues and have worked to fix them. So while there's not currently a master release that encapsulates the "fixes" there's no guarantee that making a release will automatically put everybody else on the "newest" version anyway.

As such our method is to push into the various branches, inform the community of the issues and where they are addressed.

Thank you.

Yes a release will come, when it comes is another matter.

darksidemilk commented 1 month ago

@Neustradamus Per this issue and your comment in #599

@mastacontrola: 1.5.10 is unsecure, there are several vulnerabilities in 1.5.10 which are not fixed in a stable release (there is not a 1.5.11), it is important to create the 1.5.11 quickly.

The CVE process in long, the author informes, the team has a delay to fix it, the CVE is published.

We are in the process of creating a new semantic-versioning based and automated release process to handle this. There likely won't be a 1.5.11 (1.6 is more likely with a UI overhaul) but we are going to make it easier/standard to install/update to the latest revision i.e. 1.5.10.41 which is the current version you get if you install from dev-branch, where all these security issues are already handled.

And yes, the CVE process has been longer than we'd like, but this is an open source community managed product and we all only have so much free time on our hands. We do not ignore the reported issues but we also try to follow the practice of not publishing them for all to see and freely exploit until they're handled. If there's something users can do themselves before we've patched it, we make it known. We take the security of FOG very seriously and patch as fast as we are able, some issues are more complicated than others and take time to be handled correctly.

I am going to close out this issue, but I'll link to a new issue for tracking the creation of the new release system.

In the interim, anyone can install from the dev-branch instead of the master branch to install a patched release if they don't want to manually patch with the instructions in those links you posted. Instructions on installing from the dev-branch are available here https://docs.fogproject.org/en/latest/install-fog-server.

darksidemilk commented 1 month ago

A security fix stable release will happen as part of #601 Closing this one out.

Neustradamus commented 1 month ago

Dear @FOGProject team, @darksidemilk: No the latest official build is 1.5.10 (Recall: badly which has been retagged too in the past, look here: https://github.com/FOGProject/fogproject/issues/565).

Go here, to see what is the latest release:

Getting FOG Project
The latest release of FOG Project is 1.5.10, released March 5th 2023.

Please reopen this security ticket, FOG 1.5.10 is not secure, there is no 1.5.11 release with all vulnerability fixes.

Thanks in advance.

darksidemilk commented 1 month ago

@Neustradamus See https://github.com/FOGProject/fogproject/issues/601#issuecomment-2260955237 Since this is more of a discussion not an issue I closed it out to not clutter our to-do for code.

601 pertains to where we will create a new system for version tagging which will fix the issues with the 1.5.10 retag.

We are not ignoring your request, we are implementing a solution that will solve the problem moving forward.