Backport SSL fixes to 1.0.x and release with new Nimble

[dom96]

We need to do the following AFAIK:

• Release a new Nimble with @FedericoCeratto's patch
• Release a new 1.0.x Nim release that includes https://github.com/nim-lang/Nim/pull/16940 and any fixes necessary to make SSL work for that version (nimble build && ./nimble refresh should work when compiled with that Nim 1.0.x) + the new Nimble release

[FedericoCeratto]

Summary: Issue: Nimble does not check SSL certs during update Affected Nim releases: all, up to 1.4 (inclusive) To be fixed: 1.0 1.2 1.4 Wontfix: < 1.0 Fixed in: ? CVE: none yet

[alaviss]

A small reminder that we have to issue a security notice. Preferably as soon as possible, given that the bugs had been disclosed.

[dom96]

Can this be closed now?

[alaviss]

Have we published any security advisory?

[FedericoCeratto]

I suggest updating the summary above

[FedericoCeratto]

@dom96 @Araq - it seems that nobody has been opening CVEs for this and other issues. I can create them as draft using https://github.com/nim-lang/Nim/security for both Nim and Nimble if given access. The process is more lightweight now and we can get CVEs assigned through github.

@narimiran once assigned, CVEs could be added to the changelog of the last releases.

[alaviss]

@Araq @narimiran

It doesn't appear to me that we mention the RCE bug at all in the latest release note: https://nim-lang.org/blog/2021/02/23/versions-144-and-1210-released.html

Is this fixed for 1.0? If it's not then we need a 1.0 release too.

[FedericoCeratto]

@Araq you gave a thumbs up but I don't have permissions to create a draft advisory on https://github.com/nim-lang/Nim/security/advisories

[Araq]

@FedericoCeratto Made you an admin, let's see if it works...

[FedericoCeratto]

@Araq I cannot create draft advisories on the Nim repo but I was able to create them in this one. Some are pending on CVEs being assigned.

The drafts are hidden to the public until published, then they follow the public/private repo settings. I suggest we make this repo public and use it for future advisories.

[FedericoCeratto]

@Araq GitHub said they cannot assign a CVE unless this repo (https://github.com/nim-lang/security) is made public: https://github.com/nim-lang/security/security/advisories/GHSA-c2wm-v66h-xhxx#advisory-comment-64763

[Araq]

Ok, so we need to file an issue for this on nim-lang/nim then. Right?

[Araq]

nim-lang/security should not be made public, it's for reporting security related bugs, we should make them public after a fix for these is available.

[FedericoCeratto]

To summarize:

1. I cannot create advisories at https://github.com/nim-lang/Nim/security/advisories due to github permissions
2. I created them as draft https://github.com/nim-lang/security/security/advisories
3. draft advisories are kept secret by github regardless of the public/private status of the repository
4. github needs the repository (not the advisories) to be public to assign CVE numbers to draft advisories
5. Once completed/fixed, advisories go from draft to public and become visible to everybody

In short: the embargo mechanism is already built-in in github's advisories workflow.

[FedericoCeratto]

@Araq any thought? It would be nice if we could make some progress.

[Araq]

I made this repository public days ago. Sorry, I thought I had told you. :-)