hexsecs
commented
2 years ago Should we add the advisory to the reference implementation advisory page https://github.com/uptane/uptane/security/advisories ?
Closed mnm678 closed 2 years ago
hexsecs
commented
2 years ago Should we add the advisory to the reference implementation advisory page https://github.com/uptane/uptane/security/advisories ?
mnm678
commented
2 years ago Should we add the advisory to the reference implementation advisory page https://github.com/uptane/uptane/security/advisories ?
I tried to do so, but I don't think it's possible without un-archiving the repository
mnm678
commented
2 years ago Solved in #226
As mentioned on the 11/9 standards call and in response to the TUF CVE, we should add a note to the standard (or at least the deployment pages) about the possible client path traversal and how to prevent it. To be clear, this is not a security issue in the standard, but it may affect Uptane implementations that were based on the python-tuf reference implementation.
I suggest adding a sentence to the metadata about images section that recommends either url encoding filenames or limiting the character set for these filenames.