23
edits
MOSS/Secure Open Source/Completed: Difference between revisions
MOSS/Secure Open Source/Completed (view source)
Revision as of 15:27, 17 August 2020
, 17 August 2020date update
(Add expat audit) |
(date update) |
||
| (19 intermediate revisions by 4 users not shown) | |||
| Line 1: | Line 1: | ||
Secure Open Source has completed the following audits. | Secure Open Source has completed the following audits. | ||
==2019== | |||
===tcpdump & libpcap=== | |||
Dates: 2019 | |||
[https://www.tcpdump.org/ tcpdump & libpcap] are a powerful command-line packet analyzer and a portable C/C++ library for network traffic capture, respectively. The audit was performed by [http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html Michael Richardson]. | |||
The team found the following problems: | |||
* 8 Verified Fixes | |||
The documents are as follows: | |||
* [https://blog.mozilla.org/netpolicy/files/2020/07/Tcpdump-Libpcap-IncludeSec-Code-Review-v1.pdf Audit report] | |||
* [https://blog.mozilla.org/netpolicy/files/2020/07/libpcap_tcpdump-change_fix-log.pdf Fix and validation log] | |||
===libssh=== | |||
Dates: 2019 | |||
[https://www.libssh.org/ libshh] is a multiplatform C library implementing the SSHv2 protocol on client and server side. The audit was performed by [https://cure53.de/ Cure53]. | |||
The team found the following problems: | |||
* 1 Critical | |||
* 1 Medium | |||
* 7 Low | |||
* 3 Informational | |||
The documents are as follows: | |||
* [https://blog.mozilla.org/netpolicy/files/2020/07/pentest-report_libssh.pdf Audit report] | |||
* [https://blog.mozilla.org/netpolicy/files/2020/07/SSH-01-Fix-Verification.pdf Fix and validation log] | |||
==2018== | |||
===graphite=== | |||
Dates: August 2018 | |||
[https://scripts.sil.org/cms/scripts/page.php?site_id=projects&item_id=graphite_home graphite] is "a "smart font" system developed specifically to handle the complexities of lesser-known languages of the world. The audit was performed by [https://radicallyopensecurity.com/ Radically Open Security]. | |||
The team found the following problems: | |||
* 1 Elevated | |||
* 9 Moderate | |||
* 11 Low | |||
The documents are as follows: | |||
* [https://wiki.mozilla.org/images/9/98/Graphite-report.pdf Audit report] | |||
* [https://docs.google.com/document/d/1LOkCQtkF0dDch56kzl5rqNM4layoTUVjaljSOFWMS5U/edit#heading=h.2li2rmo2r9oa Fix and validation log] | |||
===Thunderbird and Enigmail=== | |||
Dates: January 2018 | |||
[https://www.thunderbird.net/en-US/ Thunderbird] and [https://www.enigmail.net/index.php/en/ Enigmail] work together to provide a free, simple interface for OpenPGP email security. The audit was performed by [https://cure53.de/ Cure53]. | |||
The team found the following problems: | |||
* 3 Critical | |||
* 3 High | |||
* 3 Medium | |||
The documents are as follows: | |||
* [https://wiki.mozilla.org/images/0/0b/Thunderbird-enigmail-report.pdf Audit report] | |||
* [https://docs.google.com/document/d/1rZvwX-GOt9iis__CkCLtSWlz0359d_TN_vs8qp9m5ps/edit?ts=5b576f00#heading=h.2li2rmo2r9oa Fix and validation log] | |||
===SimpleSAMLphp=== | |||
Dates: January 2018 | |||
[http://simplesamlphp.org/ SimpleSAMLphp] is an application written in native PHP that deals with authentication. The audit was performed by [https://cure53.de/ Cure53]. | |||
The team found the following problems: | |||
* 1 Critical | |||
* 3 Medium | |||
* 1 Informational | |||
The documents are as follows: | |||
* [https://wiki.mozilla.org/images/3/34/SimpleSAML_audit_report_1.pdf Audit report] | |||
* [https://wiki.mozilla.org/images/f/fb/SimpleSAMLphp_SOS_Fund_Audit_Fix_Log.pdf Fix and validation log] | |||
===oauth2-server=== | |||
Dates: September 2017 - February 2018 | |||
[https://github.com/thephpleague/oauth2-server oauth2-server] is a standards compliant implementation of an OAuth 2.0 authorization server written in PHP. The audit was performed by [https://leastauthority.com/ Least Authority]. | |||
The team found the following problems: | |||
* 1 High | |||
* 3 Medium | |||
* 1 Low | |||
* 2 Informational | |||
The documents are as follows: | |||
* [[Media:Oauth2-server-report-2.pdf|Audit report]] | |||
* [https://docs.google.com/document/d/1xSP-Cb3I2o1XtCK8EfYxdEBDpgDeLvinaFXRYvhbEeA/edit# Fix and validation log] | |||
===Knot DNS=== | |||
Dates: September 2017 - January 2018 | |||
[https://www.knot-dns.cz/ Knot DNS] is a high-performance authoritative-only DNS server which supports all key features of the modern domain name system. Also audited was [https://www.knot-resolver.cz/ Knot Resolver], a caching full DNS resolver implementation, including both a resolver library and a daemon. The audit was performed by [https://leastauthority.com/ Least Authority]. | |||
The team found the following problems: | |||
* 4 Medium | |||
* 7 Low | |||
* 2 Informational | |||
Least Authority made the following comment on the code quality: "Overall, we found the code to be well structured and cleanly written. Additionally Knot makes good use of available tools, such as fuzzers and compiler sanitizers." | |||
The documents are as follows: | |||
* [[Media:Knot-dns-report.pdf|Audit report]] | |||
* [https://docs.google.com/document/d/1FUlxVZdtlr6cDNtsHlzBI1d0IpGA_ey7zY-_xv-VWRM/edit# Fix and validation log] | |||
==2017== | ==2017== | ||
===CakePHP=== | |||
Dates: July - November 2017 | |||
[https://cakephp.org/ CakePHP] is an open source web framework in PHP. The audit was performed by [https://www.nccgroup.trust/ NCC Group]. | |||
The team found the following problems: | |||
* 1 High | |||
* 5 Medium | |||
* 9 Low | |||
* 5 Informational | |||
The documents are as follows: | |||
* [[Media:Cakephp-report.pdf|Audit report]] | |||
* [https://docs.google.com/document/d/1oJg5XqEZasm6RE-Ql7D7OUSiUhXFKApCPMwZxFaq0W8/edit# Fix and validation log] | |||
===chrony=== | |||
Dates: June - September 2017 | |||
[http://chrony.tuxfamily.org/ chrony] is an implementation of the Network Time Protocol, used either to set the time on a particular machine or act as an NTP server for other machines on the network. The audit was performed by [https://cure53.de/ Cure53], and kindly funded by [https://www.coreinfrastructure.org/ CII]. | |||
The team found the following problems: | |||
* 2 Low | |||
Cure53 write: The overwhelmingly positive result of this security assignment performed by three Cure53 testers can be clearly inferred from a marginal number and low-risk nature of the findings amassed in this report. Withstanding eleven full days of on-remote testing in August of 2017 means that Chrony is robust, strong, and developed with security in mind. The software boasts sound design and is secure across all tested areas. It is quite safe to assume that untested software in the Chrony family is of a similarly exceptional quality. In general, the software proved to be well-structured and marked by the right abstractions at the appropriate locations. While the functional scope of the software is quite wide, the actual implementation is surprisingly elegant and of a minimal and just necessary complexity. In sum, the Chrony NTP software stands solid and can be seen as trustworthy. | |||
The documents are as follows: | |||
* [[Media:Chrony-report.pdf|Audit report]] | |||
* [https://docs.google.com/document/d/1HpGgX4r-81BWfPmas7L2WGfByJrVEIc4hAOXLEaaV_4/edit# Fix and validation log] | |||
===expat=== | ===expat=== | ||