You are here: Foswiki>Development Web>SecurityAlertCVETemplate (29 Apr 2009, IsaacLin) Edit this topic text (e) Attach an image or document to this topic; manage existing attachments (a) View sequential topic history View without formatting (v) Create new topic Printable version of this topic (p) More: delete or rename this topic; set parent topic; view and compare revisions (m)

Security Alert: Title goes here

ALERT! Note before anyone makes this page more sexy with tables and graphics. I have to be able to send this out as a text only email. And it is a pain having to spend half an hour reformating. So please leave this template in a way that I can still copy and paste text to an email client. -- Kenneth

ALERT! Get Alerted: To get immediate alerts of high priority security issues, please join the low-volume foswiki-announce list - details at MailingLists

This advisory alerts you of a potential security issue with your Foswiki installation. explain more here

Vulnerable Software Versions

Attack Vectors

describe the attack vector here - typically given in the security report

Impact

describe the impact of the exploit

Severity Level

keep the level that applies; delete the other list items

  • Severity 1 issue - The web server can be compromised
  • Severity 2 issue - The Foswiki installation is compromised
  • Severity 3 issue - Foswiki content or browser is compromised

The severity level was assigned by the Foswiki SecurityTaskTeam as documented in SecurityAlertProcess.

MITRE Name for this Vulnerability

The Common Vulnerabilities and Exposures project has assigned the name CVE-20xx-xxxx to this vulnerability.

Details

Give more details about the exploit

Countermeasures

  • Apply hotfix (see patch below).
  • Apply fix in Apache configuration (see below)
  • Upgrade to the latest patched production FoswikiRelease01x00x05.

Authors and Credits

Hotfix for Foswiki Production Release 1.0.0-1.0.4

Action Plan with Timeline

  • 2009-04-15 - User discloses issue to foswiki security mailing list (names here)
  • 2009-04-16 - Developer verifies issue (name)
  • 2009-04-16 - Security team triage the issue (Kenneth Lavrsen)
  • 2009-04-16 - Developer fixes code (names)
  • 2009-04-26 - Security team creates advisory with hotfix (Kenneth Lavrsen)
  • 2009-04-25 - Release Manager builds patch release (Kenneth Lavrsen)
  • 2009-04-27 - Send alert to foswiki-announce and foswiki-discuss mailing lists (Kenneth Lavrsen)
  • 2009-04-29 - Publish advisory in Support web and update all related topics (Kenneth Lavrsen)
  • 2009-04-29 - Reference to public advisory on Download page and Known Issues (Kenneth Lavrsen)
  • 2009-04-29 - Issue a public security advisory (vuln@secunia.com, cert@cert.org, bugs@securitytracker.com, full-disclosure@lists.netsys.com, vulnwatch@vulnwatch.org) (Kenneth Lavrsen)

BasicForm edit

TopicClassification AdminTopic
TopicSummary
InterestedParties
Edit | Attach | Print version | History: r4 < r3 < r2 < r1 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: 29 Apr 2009, IsaacLin
 
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. see CopyrightStatement. Creative Commons LicenseGet Foswiki at sourceforge.net. Fast, secure and Free Open Source software downloads