Open dom96 opened 3 years ago
Summary: Issue: Nimble does not check SSL certs during update Affected Nim releases: all, up to 1.4 (inclusive) To be fixed: 1.0 1.2 1.4 Wontfix: < 1.0 Fixed in: ? CVE: none yet
A small reminder that we have to issue a security notice. Preferably as soon as possible, given that the bugs had been disclosed.
Can this be closed now?
Have we published any security advisory?
I suggest updating the summary above
@dom96 @Araq - it seems that nobody has been opening CVEs for this and other issues. I can create them as draft using https://github.com/nim-lang/Nim/security for both Nim and Nimble if given access. The process is more lightweight now and we can get CVEs assigned through github.
@narimiran once assigned, CVEs could be added to the changelog of the last releases.
@Araq @narimiran
It doesn't appear to me that we mention the RCE bug at all in the latest release note: https://nim-lang.org/blog/2021/02/23/versions-144-and-1210-released.html
Is this fixed for 1.0? If it's not then we need a 1.0 release too.
@Araq you gave a thumbs up but I don't have permissions to create a draft advisory on https://github.com/nim-lang/Nim/security/advisories
@FedericoCeratto Made you an admin, let's see if it works...
@Araq I cannot create draft advisories on the Nim repo but I was able to create them in this one. Some are pending on CVEs being assigned.
The drafts are hidden to the public until published, then they follow the public/private repo settings. I suggest we make this repo public and use it for future advisories.
@Araq GitHub said they cannot assign a CVE unless this repo (https://github.com/nim-lang/security) is made public: https://github.com/nim-lang/security/security/advisories/GHSA-c2wm-v66h-xhxx#advisory-comment-64763
Ok, so we need to file an issue for this on nim-lang/nim then. Right?
nim-lang/security should not be made public, it's for reporting security related bugs, we should make them public after a fix for these is available.
To summarize:
In short: the embargo mechanism is already built-in in github's advisories workflow.
@Araq any thought? It would be nice if we could make some progress.
I made this repository public days ago. Sorry, I thought I had told you. :-)
We need to do the following AFAIK:
nimble build && ./nimble refresh
should work when compiled with that Nim 1.0.x) + the new Nimble release