Security Bulletin file format
From TYPO3Wiki
|
|||||
This is proposal of Security Bulletin file format that can be used be extensions to automatically inform (for example by email) about security issue found in TYPO3 installation.
[edit]
EXAMPLES
EXAMPLE DATA:
<PHP> :
<security-bugs>
<security-bug>
<type>extension</type>
<extkey>sg_zfelib</extkey>
<bulletin>TYPO3-20080527-2</bulletin>
<affected-versions>
<version-range>
<start>1.1.0</start>
<end>1.1.512</end>
</version-range>
<version-range>
<start>2.0.0</start>
<end>2.2.982</end>
</version-range>
<version>3.0.1</version>
<version>3.0.2</version>
</affected-versions>
</security-bug>
<security-bug>
<type>core</type>
<bulletin>TYPO3-20080527-2</bulletin>
<affected-versions>
<version-range>
<start>0.0.0</start>
<end>3.8.0</end>
</version-range>
<version>4.0RC1</version>
</affected-versions>
</security-bug>
</security-bugs>
REAL EXAMPLE 3 latest extensions and 3 latest core security bugs:
<PHP> :
<security-bugs>
<security-bug>
<type>extension</type>
<extkey>sg_zfelib</extkey>
<bulletin>TYPO3-20080527-2</bulletin>
<affected-versions>
<version-range>
<start>0</start>
<end>1.1.512</end>
</version-range>
</affected-versions>
</security-bug>
<security-bug>
<type>extension</type>
<extkey>kj_imagelightbox2</extkey>
<bulletin>TYPO3-20080527-1</bulletin>
<affected-versions>
<version-range>
<start>0</start>
<end>1.4.2</end>
</version-range>
</affected-versions>
</security-bug>
<security-bug>
<type>extension</type>
<extkey>air_filemanager</extkey>
<bulletin>TYPO3-20080515-2</bulletin>
<affected-versions>
<version-range>
<start>0</start>
<end>0.6.0</end>
</version-range>
</affected-versions>
</security-bug>
<security-bug>
<type>core</type>
<bulletin>TYPO3-20071210-1</bulletin>
<affected-versions>
<version-range>
<start>3.0.0</start>
<end>3.8.0</end>
<start>4.0.0</start>
<end>4.0.7</end>
<start>4.1.0</start>
<end>4.1.3</end>
</version-range>
</affected-versions>
</security-bug>
<security-bug>
<type>core</type>
<bulletin>TYPO3-20070221-1</bulletin>
<affected-versions>
<version-range>
<start>3.0.0</start>
<end>3.8.1</end>
<start>4.0.0</start>
<end>4.0.5</end>
</version-range>
<version>4.1beta</version>
<version>4.1RC1</version>
</affected-versions>
</security-bug>
<security-bug>
<type>core</type>
<bulletin>TYPO3-20061220-1</bulletin>
<affected-versions>
<version-range>
<start>4.0.0</start>
<end>4.0.3</end>
</version-range>
<version>4.1beta</version>
</affected-versions>
</security-bug>
</security-bugs>
[edit]
PROBLEMS
1. Some Security Bulletins have phrase "All version affected" without any other informaion about numbers. This can not be put into XML as all future version of extension will be also set as "security bug" affected. See: http://typo3.org/teams/security/security-bulletins/typo3-20080416-2/
2. Some Security Bulletins have phrase "TYPO3 versions 3.x". I think we should be more precise here and write:
<start>3.0.0</start>
<end>3.8.1</end>
(3.8.1 was last before 4.0).
