<div dir="ltr"><div dir="ltr">On Wed, Sep 2, 2020 at 11:30 AM Henning Westerholt <<a href="mailto:hw@skalatan.de">hw@skalatan.de</a>> wrote:<br></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div lang="DE">
<div class="gmail-m_262365729185436769WordSection1">
<p class="MsoNormal"><span lang="EN-GB">Hello Maxim,<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB">thank you for the clarification, appreciated.</span></p></div></div></blockquote><div><br></div><div>No worries, hope to have a civilized discussion.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div lang="DE"><div class="gmail-m_262365729185436769WordSection1"><p class="MsoNormal"><span lang="EN-GB"><u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB">Just one clarification, my comment regarding the advisory from 2018 was not meant as advertisement etc..</span></p></div></div></blockquote><div><br></div><div>Point taken, I dramatized of course to underline my point. </div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div lang="DE"><div class="gmail-m_262365729185436769WordSection1"><p class="MsoNormal"><span lang="EN-GB"><u></u><u></u></span></p>
<p class="MsoNormal">One suggestion to objectify the whole discussion, there exists a well-known and accepted metric for vulnerabilities: CVSS [1]<br></p>
<p class="MsoNormal"><span lang="EN-GB">If I calculate the CVSS score for this issue, it results in a medium level with score 5.8. But this is of course again (at least somewhat) influenced from my point of view to this bug.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB">Some projects have a policy to only do a security announcement for vulnerabilities with score high and critical. For Kamailio this is not yet defined in a detailed way, due to the size
of the project and other factors.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB">So, If people in this discussion (or other people on the list) are interested in improving the project security processes – this wiki page with the current process might be a good starting
point: <a href="https://www.kamailio.org/wiki/security/policy" target="_blank">https://www.kamailio.org/wiki/security/policy</a><u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB">Please suggest your improvements to the existing process (preferable in a new discussion thread) on the sr-dev list. If you want to do it in private, feel free contact the management
list.</span></p></div></div></blockquote><div><br></div><div>Well, first suggestion after having read it: to start actually following what's documented before any improvements are made. ;-) The policy says plain and simple (quote):</div><div><br></div></div><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><div class="gmail_quote"><div><h4 id="gmail-publishing_security_vulnerabilities" style="padding:0px;line-height:1.2;clear:left;font-size:14px;margin:0px 0px 1em;color:rgb(51,51,51);font-family:Arial,sans-serif">Publishing security vulnerabilities</h4></div></div></blockquote><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><div class="gmail_quote"><div><span style="color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px">Kamailio will publish security vulnerabilities, including an CVE ID, on the kamailio-business mailing list, sr-dev, sr-users as well as related lists. </span><span style="font-family:Arial,sans-serif;font-size:14px"><font color="#ff0000">The advisories will also be published on the <a href="http://kamailio.org">kamailio.org</a> web site</font></span><span style="color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px">.</span> </div></div><div class="gmail_quote"><div> </div></div><div class="gmail_quote"><div><span style="color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px">CVE entries should be created for vulnerabilities in the core and major modules, for rarely used modules this is not necessary. If there are several security issues together in one release, they should be announced together.</span> </div></div></blockquote><div class="gmail_quote"><div> </div><div>I might be missing something obvious, but there is no "if" or "maybe" or "it depends". Any module that has been 18 years with the project qualifies to be a "major module" to me... </div><div><br></div><div>-Max</div></div></div>