mozilla / foundation-security-advisories Goto Github PK
View Code? Open in Web Editor NEWCanonical source for Mozilla Foundation Security Advisories. http://www.mozilla.org/security/announce/
License: Mozilla Public License 2.0
Canonical source for Mozilla Foundation Security Advisories. http://www.mozilla.org/security/announce/
License: Mozilla Public License 2.0
Hi
I'm writing a package url for the packages in the advisories and I would need the names and versions of packages explicitly. Currently, it appears that the pattern follows package_name version
and package_name is also allowed to have spaces.
Though there is no validation to make sure this pattern follows.
Something like the following should be fine:
pkg.split(" ")[-1].replace('.','').isdigit()
The python script does not seem to work correctly with Python 3.10 (default on Ubuntu 22.04). There is no error in creating the virtualenv and installing the dependencies, but running check_advisories --all
yields parsing errors:
check_advisories --all
Checking all files
EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE..
Checked 1253 files. Found 1251 errors.
ERRORS:
- announce/2011/mfsa2011-02.md: Failed to parse "March 1, 2011" as a date
- announce/2011/mfsa2011-29.md: Failed to parse "August 16, 2011" as a date
- announce/2011/mfsa2011-51.md: Failed to parse "November 8, 2011" as a date
...
Looking at the circle-ci script in the repo, it indicates that CI runs with Python 3.8 so I installed an alternate 3.8 version alongside my distro version reinstalled the dependencies in the virtualenv and everything works fine now.
I think it would be good to have the script work with other recent versions of Python.
There are a number of mobile products we want to put advisories out for. This ticket is to ensure the website supports that.
If you file a bug, it's not resolved, but we award it a hof+, we will almost certainly not add it to the hof, because the script doesn't look for "show me when this bug had the hof+ flag added" - it only uses the bug's creation date.
But we should be able to query a bug's change history from bugzilla to do this better...
What is the recommended way to find all advisories for "Firefox", or for "Firefox ESR"?
I want to be notified when a new security release is available, but there isn't anyway to be notified.
A RSS Feed or a ml announcement could be useful.
We almost published one of those accidentally, let's add a check to prevent it.
foundation-security-advisories/announce/2022/mfsa2022-44.yml
Lines 42 to 50 in 7d83bd1
Both Line 42 and Line 50 refer to the same CVE CVE-2022-42930
However the bugzilla points to CVE-2022-46884 as the correct CVE
Pocket independently operates their own bounty program through HackerOne. Let's get this under Mozilla's program and classify Pocket's web properties.
It's been requested that Pocket's HoF list be maintained somehow throughout this migration.
Advisory is supposed to be for Thunderbird but the fixed_in product is Firefox ESR
Firefox Bug Bounty Rewards is extremely outdated.
https://www.mozilla.org/security/bug-bounty/hall-of-fame/
The link below (from https://www.mozilla.org/en-US/security/advisories/mfsa2023-40/) goes to a page which requires Google Account authentication and, presumably because I get Access Denied after authenticating with a non-Mozilla account, appropriate access to view it.
Not sure if the permissions need to change, or if it's ok to have a closed link in the sec advisory, but flagging it here for a decision. Thanks very much in advance!
We're opening this issue because your project has used Travis CI within the last 6 months. If you have already migrated off it, you can close and ignore this issue.
Travis CI is ending free builds on public repositories. travis-ci.com stopped providingthem in early November, and travis-ci.org will stop after December 31, 2020. To avoid disruptions to your workflows, you must migrate to another CI service.
For production use cases, we recommend switching to CircleCI. This service is already widely used within Mozilla. There is a guide to migrating from Travis CI to CircleCI available here.
For non production use cases, we recommend either CircleCI or Github Actions. There is a guide to migrating from Travis CI to Github Actions available here. Github Actions usage within Mozilla is new, and you will have to work with our github administrators to enable specific actions following this process.
If you have any questions, reach out in #github-admin:mozilla.org
on matrix.
Current checks at https://github.com/mozilla/foundation-security-advisories/blob/master/check_advisories.py#L162 ensure that all the required fields are present in the files.
Inversely, we should ensure that there are no extra fields either, e.g., due to a nesting error we had a CVE section hidden below a CVE section
As of January 1 2019, Mozilla requires that all GitHub projects include this CODE_OF_CONDUCT.md file in the project root. The file has two parts:
If you have any questions about this file, or Code of Conduct policies and procedures, please see Mozilla-GitHub-Standards or email [email protected].
(Message COC001)
Hi - over on Bedrock one of our ingestion scripts is unhappy, and the root cause seems to be this file and specifically the diff marker at the end. Could someone take a look, please?
Also switch travis CI to Python 3. Possibly dockerize all of this for consistency of platform.
For the 71 release, bedrock failed to parse our yaml files and put them in their database, yet no error was reported by our linter.
I found that we had this syntax in the new files
bugs:
- url: 1449736, 1533957, 1560667, 1567209, 1580288, 1585760, 1592502
- desc: Memory safety bugs fixed in Firefox 71 and Firefox ESR 68.3
While in older released we had:
bugs:
- url: 1558522, 1577061, 1548044, 1571223, 1573048, 1578933, 1575217, 1583684, 1586845, 1581950, 1583463, 1586599
desc: Memory safety bugs fixed in Firefox 70 and Firefox ESR 68.2
Note the extra dash in front of the desc
key.
We should have a check that the desc key should not have a dash in front or something like that.
We should add some formatting checks otherwise we wind up with issues like #135
title
title
, the title must be in single quotes.<
but rather <
It might be possible to use backticks instead of <code> tags also...
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.