[This is a periodic reminder.]
If you ever come across something that might have a security impact on
users, e.g. permit access to a resource that should be inaccessible,
allow access to a user's account, or in some way compromise the security
of the Foreman installation, please take care in how you handle it.
Security issues might be things that you find through using or
developing on the Foreman codebase, or that you've seen a report on -
e.g. in Redmine or RHBZ, on our mailing lists or IRC channel. It's
quite possible others haven't seen it or realised the impact.
First, e-mail foreman-security@googlegroups.com with as much information
as you have. It's best to e-mail as soon as you have reasonable
evidence - we'd rather hear about it sooner than later. This list has a
small, mixed group of project maintainers, security specialists from Red
Hat and distribution maintainers (Red Hat and FreeBSD today), and we'll
contact plugin maintainers or specialists when appropriate.
We'll treat the issue as confidential and evaluate it as soon as
possible to determine whether it's a problem and what the impact is.
Please also treat it with confidentiality and don't post about it in
Redmine or on mailing lists or IRC.
For low to medium issues, we'll open a public ticket in Redmine and
anyone, including you, can work on it as usual. For high severity
issues, we may keep the issue embargoed and prepare a patch for
immediate release. We'll try and keep you in the loop, and will if you
like give credit to you for finding the issue.
If in doubt, please e-mail foreman-security@googlegroups.com.
You can find some of this information, including the e-mail address at
any time from our web site, under Documentation > Security
(Foreman :: Security). Information about how we handle
reports to foreman-security is held on
Security process - Foreman.
Cheers,