Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 20 Jul 2016 09:15:26 -0700
From: Will Sargent <will.sargent@...htbend.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request for the Play Framework

> > In version 2.5.0 of the Play Framework a CSRF bypass that depends upon
> > an implementation bug in chrome's beacon api was fixed.
>
> We think additional information would help in deciding whether this is
> commonly recognized as a Play Framework vulnerability (which would
> have a CVE ID) or Play Framework security hardening (which would not
> have a CVE ID). Our understanding thus far is:
>
>   - Play Framework is not an Atlassian product
>
>   - https://github.com/playframework/playframework/pull/5527#discussion-diff-51786858
>     says "In order to make Play's CSRF filter more resilient to
>     browser plugin vulnerabilities and new extensions, the default
>     configuration for the CSRF filter has been made far more
>     conservative."
>
>   - Chromium issue 490015 has some debate about whether it is a
>     Chrome/Chromium vulnerability, e.g., "The issue is whether it's
>     the browser responsibility to act as a nanny to weak websites, or
>     we should leave weak websites as sacrifice for great justice."
>     versus "To be clear, this is a security bug ... There is a
>     security bug in Chrome, but no action is being done."
>
> Typically, it would be best not to have a CVE for Play Framework if
> the essence of the Play Framework problem is "the product did not
> proactively add workarounds for all browser-level vulnerabilities that
> might be discovered later."

Thanks for your review -- Play is proactive about security, but does
rely on the integrity of the browser to implement key security features
(CORS, Same Origin Policy, security headers, etc) for that functionality.

Regarding your other questions, Play Framework ("Play" for short) is an
open source project -- the source code is owned and licensed by
Lightbend.  You can read more about it here:

https://www.playframework.com/community-process#Implementation-decisions

For reference, there is a mailing list for reporting vulnerabilities at
security@...yframework.org.

The mailing list for receiving Play Framework security announcements is
at https://groups.google.com/forum/#!forum/play-framework-security

And the HTML page for viewing Play security advisories reports is at
https://www.playframework.com/security/vulnerability

Thanks,
Will Sargent
Lightbend, Play Team




Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.