If you would like to report an issue you believe is security related, please notify comanage@sphericalcowgroup.com (this is an interim address until new procedures are established). Do not file a JIRA or email the users or developers lists, as those are all public.
In general, you should always upgrade to the latest version of COmanage as soon as practical, upgrading a QA or test server first. The further behind you fall, the harder it will probably be to upgrade if a highly critical security advisory is released.
Security Advisories
| Advisory | Affected Releases | Severity | Exposure |
|---|---|---|---|
| 2015-12-09 | 0.9.4 and earlier | Unknown | Unknown |
| 2017-01-30 | 0.9.1 through 1.0.5 | High or Very High | Low |
| 2018-05-30 | 0.9.4 through 3.1.0 | Very High | Low or Medium |
Severities
- Very High: Remotely exploitable without authentication
- High: Exploit requires authentication as any user
- Medium: Exploit requires authentication as any administrator
- Low: Exploit requires authentication as a platform administrator, or requires command line login access to server
Security Advisory Policy
- In general, please report security advisories to the email address at the top of this page. While we can create closed JIRA issues that are not publicly visible, you as the reporter may not be able to do so, and we'd rather not share information to the public until we are ready.
- Once the problem has been identified and a fix prepared, we will schedule a release date and make a public announcement. We will typically attempt to make the announcement 1 to 2 weeks ahead of the release date, however conditions may require a shorter or longer Announcement Period.
- After the public announcement but before the release date, no details about the issue will be made public.
- During the Announcement Period, we reserve the right to provide early access to selected deployers in order to ensure proper quality control and testing. Our expectation is that anyone who receives early access to the fix will not share it further without our permission.
- On the release date, we will simultaneously release both the fix (typically as a new maintenance release) as well as the technical details. Deployers should be prepared to apply the fix as soon as possible on the release date. (As on open source project, the fix will be public, and so there is limited -- if any – value in delaying release of the technical details.)
- Currently, the COmanage developers are unable to commit to providing security fixes for any version other than the latest release. Depending on the details of any given fix, it may or may not be plausible to backport fixes to earlier releases.