Account confirmers, Anti-spam team, Confirmed users, Bureaucrats and Sysops emeriti
4,925
edits
MOSS/Secure Open Source/Completed: Difference between revisions
MOSS/Secure Open Source/Completed (view source)
Revision as of 09:48, 23 November 2016
, 23 November 2016Add curl
(Typo) |
(Add curl) |
||
| Line 7: | Line 7: | ||
[http://www.pcre.org/ PCRE] (Perl-Compatible Regular Expressions) is a C library for implementing [https://en.wikipedia.org/wiki/Regular_expression regular expressions] in a codebase. It is used in various open source projects including Exim, Apache, PHP and KDE, as well as Apple Safari. We audited PCRE2, a newer version which is currently less commonly-used but which is expected to become increasingly common. The audit was performed by [https://cure53.de/ Cure53]. | [http://www.pcre.org/ PCRE] (Perl-Compatible Regular Expressions) is a C library for implementing [https://en.wikipedia.org/wiki/Regular_expression regular expressions] in a codebase. It is used in various open source projects including Exim, Apache, PHP and KDE, as well as Apple Safari. We audited PCRE2, a newer version which is currently less commonly-used but which is expected to become increasingly common. The audit was performed by [https://cure53.de/ Cure53]. | ||
The team found the following | The team found the following problems: | ||
* 1 Critical | * 1 Critical | ||
| Line 25: | Line 25: | ||
[http://www.libjpeg-turbo.org/ libjpeg-turbo] is a fork of the libjpeg codebase which is particularly focussed on speed, and on compatibility with the most commonly-used standard profiles of JPEG. It is used by a number of open source projects, including Chrome, LibreOffice, Firefox and various flavours of VNC. The audit was performed by [https://cure53.de/ Cure53]. | [http://www.libjpeg-turbo.org/ libjpeg-turbo] is a fork of the libjpeg codebase which is particularly focussed on speed, and on compatibility with the most commonly-used standard profiles of JPEG. It is used by a number of open source projects, including Chrome, LibreOffice, Firefox and various flavours of VNC. The audit was performed by [https://cure53.de/ Cure53]. | ||
The team found the following | The team found the following problems: | ||
* 1 High | * 1 High | ||
| Line 43: | Line 43: | ||
[https://www.phpmyadmin.net/ phpMyAdmin] is a web-based administration tool for MySQL databases. The audit was performed by [https://www.nccgroup.trust/ NCC Group]. | [https://www.phpmyadmin.net/ phpMyAdmin] is a web-based administration tool for MySQL databases. The audit was performed by [https://www.nccgroup.trust/ NCC Group]. | ||
The team found the following | The team found the following problems: | ||
* 3 Medium | * 3 Medium | ||
| Line 60: | Line 60: | ||
[http://www.thekelleys.org.uk/dnsmasq/doc.html dnsmasq] is a lightweight implementation of DNS, DHCP, router advertisement and network boot. It is used in resource-constrained environments such as routers and firewalls (e.g. openWRT and DD-WRT), Android, and OpenStack. The audit was performed by [https://cure53.de/ Cure53]. | [http://www.thekelleys.org.uk/dnsmasq/doc.html dnsmasq] is a lightweight implementation of DNS, DHCP, router advertisement and network boot. It is used in resource-constrained environments such as routers and firewalls (e.g. openWRT and DD-WRT), Android, and OpenStack. The audit was performed by [https://cure53.de/ Cure53]. | ||
The team found the following | The team found the following problems: | ||
* 1 Medium | * 1 Medium | ||
| Line 74: | Line 74: | ||
[http://www.zlib.net/ zlib] is a compression library implementing the 'deflate' compression algorithm, used in countless applications. The audit was performed by [https://www.trailofbits.com/ Trail of Bits]. | [http://www.zlib.net/ zlib] is a compression library implementing the 'deflate' compression algorithm, used in countless applications. The audit was performed by [https://www.trailofbits.com/ Trail of Bits]. | ||
The team found the following | The team found the following problems: | ||
* 1 Medium | * 1 Medium | ||
| Line 83: | Line 83: | ||
One of the Low severity issues is still under discussion between the zlib development team and the auditors, as they are working out how to resolve it without performance degradation. | One of the Low severity issues is still under discussion between the zlib development team and the auditors, as they are working out how to resolve it without performance degradation. | ||
==curl== | |||
Dates: July - November 2016 | |||
[https://curl.haxx.se/ curl] is a command-line application for transferring data, most usually over HTTP or HTTPS. The audit was performed by [https://cure53.de/ Cure53]. | |||
The team found the following problems: | |||
* 4 High | |||
* 5 Medium | |||
* 9 Low | |||
* 5 Informational | |||
8 of the vulnerabilities resulted in [https://curl.haxx.se/docs/security.html security advisories] being produced by the curl team on November 2nd, 2016. | |||
* [[Media:Curl-report.pdf|Audit report]] | |||
* [https://docs.google.com/document/d/17EvPM_LHJiOQPGC8cZ7nd2_7Hs7PIhrQqa7s9-pylm0/edit Fix and validation log] | |||