From ca8336867b627a8075719c70b3f415f20255c23c Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Thu, 14 Nov 2024 02:12:43 +1000 Subject: [PATCH] reports: add 2024 Q3 report --- reports/2024-11-14-Q3-report.md | 145 ++++++++++++++++++++++++++++++++ 1 file changed, 145 insertions(+) create mode 100644 reports/2024-11-14-Q3-report.md diff --git a/reports/2024-11-14-Q3-report.md b/reports/2024-11-14-Q3-report.md new file mode 100644 index 0000000..58a4cbc --- /dev/null +++ b/reports/2024-11-14-Q3-report.md @@ -0,0 +1,145 @@ +# Haskell Security Response Team - 2024 July–October report + new members + +The Haskell Security Response Team (SRT) is a volunteer organization +within the Haskell Foundation that is building tools and processes +to aid the entire Haskell ecosystem in assessing and responding to +security risks. In particular, we maintain a [database][repo] of +security advisories that can serve as a data source for security +tooling. + +This report details the SRT activities from July through October +\2024. We extended this reporting period by one month to include +the results of our recent Call for Volunteers. + +[repo]: https://github.com/haskell/security-advisories + +The SRT is: + +- Fraser Tweedale +- Gautier Di Folco +- Lei Zhu (new!) +- Mihai Maruseac +- Montez Fitzpatrick (new!) +- Tristan de Cacqueray + + +## How to contact the SRT + +For assistance in coordinating a security response to newly +discovered, high impact vulnerabilities, contact +`security-advisories@haskell.org`. Due to limited resources, we can +only coordinate embargoed disclosures for high impact +vulnerabilities affecting current versions of core Haskell tools and +libraries, or in other exceptional cases. + +You can submit lower-impact or historical vulnerabilities to the +advisory database via a pull request to our [GitHub +repository][repo]. + +You can also contact the SRT about non-advisory/security-response +topics. We prefer public communication where possible. In most +cases, [GitHub issues][gh-new-issue] are an appropriate forum. But +the mail address is there if no other appropriate channel exists. + +[gh-new-issue]: https://github.com/haskell/security-advisories/issues/new/choose + + +## Growing the SRT + +Following our mid-year decision to grow the SRT, José on behalf of +the SRT published a [Call for Volunteers]. Applications closed at +the end of September, with 4 applications received. Thank you to +all applicants! We accepted 2 of the proposals, having in mind the +long term sustainability of the SRT as a volunteer organisation +(i.e. we should avoid burning the willing volunteers all at once!) + +The new members of the SRT are: + +- **Lei Zhu**, who brings experience with web security, Linux + security, privacy regulations and threat analysis. Lei has also + contributed to HLS, vscode-haskell, and related projects, and + maintains the *array* package. + +- **Montez Fitzpatrick** has a breadth of cybersecurity experience + across two decades. As CISO of a healthcare company, GRC is + his current focus. He has used Haskell professionally to build + tooling for cybersecurity tasks. + and is currently the CISO of a healthcare company. + +Welcome to the team! + +[Call for Volunteers]: https://discourse.haskell.org/t/call-for-volunteers-haskell-security-response-team-2024/10287 + + +## Advisory database + +1 contemporary advisory was published during the reporting period. + +0 historical advisories were added during the reporting period. + +2 HSEC IDs (HSEC-2024-0004 and HSEC-2024-0005) **remain** reserved +for embargoed vulnerabilities, which will be published later. + +Additionally, [HSEC-2024-0003] received substantive updates, because +it was discovered that the original fix was incomplete. + +We ask community members to report any known security issues, +including historical issues, that are not yet included. + +[HSEC-2024-0003]: https://osv.dev/vulnerability/HSEC-2024-0003 + + +## `haskell.org` Apache security update + +In early August bug hunter Divya Singh ([Dgirlwhohacks]) notified +the SRT that the version of Apache httpd serving `haskell.org` was +vulnerable to CRLF injection. We escalated the issue to the +[Haskell Infrastructure Admins][haskell-infra], and Gershom Bazerman +promptly resolved the issue by upgrading Apache. Thanks to Divya +for reporting, and Gershom for fixing the issue. + +[Dgirlwhohacks]: https://www.linkedin.com/in/dgirlwhohacks/ +[haskell-infra]: https://github.com/haskell-infra/haskell-admins + + +## *hackage-server* "Reporting Vulnerabilities" link + +Gautier implemented a *Reporting Vulnerabilities* link on package +pages in *hackage-server* ([pull request #1292]). The change has +been deployed on `hackage.haskell.org`. For now it links to +`CONTRIBUTING.md` in the *haskell/security-advisories* GitHub +repository. + +In the future we would like to improve the contributor experience +(e.g. a web form). But this small change is a big improvement +because it alerts users that they *can* report security issues. + +[pull request #1292]: https://github.com/haskell/hackage-server/pull/1292 + + +## Tooling updates + +- CVSS 4.0 support is stalled. andrii (@unorsk) did significant + initial work, and Fraser is reviewing, iterating and integrating + it. CVSS 4.0 is *much* more complex than previous versions, and + parts of the specification are ambiguous. We hope to finish the + implementation and release updates around the end of year. + +- Hécate is working on integrating security advisory data in + *flora-server* ([pull + request](https://github.com/flora-pm/flora-server/pull/762)). + They engaged the SRT for review (Gautier answered the call). + +- Because [Flora](https://flora.pm/) indexes Haskell packages from + namespaces beyond Hackage (e.g. Cardano), there is an ask + ([#240](https://github.com/haskell/security-advisories/issues/240)) + to extend the Advisory DB data model and tooling to support + additional namespaces. We have agreed on the approach but we have + not started implementing it. + +- Mihai has been following the work by Janus Troelsen to add Haskell + support to [Renovate](https://github.com/renovatebot/renovate), an + automated dependency update tool. + - [Feature request](https://github.com/renovatebot/renovate/issues/8187) + - [PVP versioning module discussion](https://github.com/renovatebot/renovate/discussions/31663) + - [PVP versioning scheme pull request (open)](https://github.com/renovatebot/renovate/pull/32298)