Security issues on 2.6.1 stable tag

[maks-rafalko]

Hi,

git branch
* (HEAD detached at 2.6.1)

app/console security:check

Symfony Security Check Report
=============================

 // Checked file: composer.lock


 [ERROR] 2 packages have known vulnerabilities.


zendframework/zend-crypt (2.4.0)
--------------------------------

 * CVE-2015-7503: Potential Information Disclosure in Zend\Crypt\PublicKey\Rsa\PublicKey
   http://framework.zend.com/security/advisory/ZF2015-10

zendframework/zend-mail (2.4.0)
-------------------------------

 * CVE-2015-3154: Potential CRLF injection attacks in mail and HTTP headers
   http://framework.zend.com/security/advisory/ZF2015-04
 * (no CVE ID): Potential remote code execution in zend-mail via Sendmail adapter
   https://framework.zend.com/security/advisory/ZF2016-04

 ! [NOTE] This checker can only detect vulnerabilities that are referenced in the SensioLabs security advisories
 !        database. Execute this command regularly to check the newly discovered vulnerabilities.

Please fix it ASAP.

[d-beekeeper]

Thanks borNfreee.
This issue has internal ticket to fix. Currently this is not a critical problem as all income information will be escaped before rendering. We are going to upgrade zend-mail to latest version in the future. zend-crypt is related and will be updated as well.

[mbessolov]

This has been reviewed by our security team in July when it was first reported.
We concluded that the vulnerable code is not used in our application, and there is no urgency in upgrading these two dependencies.
In the next LTS release we will be getting rid of zend-crypt, and either upgrading or replacing zend-mail.
I'm adding 'scheduled for implementation' label for now to indicate that it will be taken care of.

[maks-rafalko]

Thank you guys for taking time to answer to this issue. I really appreciate it.

However, from my point of view, this is not acceptable. Let me expand on this topic a bit:

1. "Currently this is not a critical problem" - you miss the point. Security checker found several issues in your dependency. While you as a team don't use this vulnerable code, you don't know that some dependency from your composer.json doesn't do it as well. There is no guarantee that you will not use vulnerable code tomorrow.

2. My project depends on platform-application, so we have security issues inherited from your code (it does not matter that this code has not been written by ORO). It's your dependency, it means you are responsible for it. What should we say about these vulnerabilities after Security Audit of our project?

3. I can't add app/console security:check to my CI because your code is vulnerable. It means many of other vulnerabilities that will come up later will not be detected since we don't check it on CI.

This has been reviewed by our security team in July when it was first reported.

8 months ago... It requires 2-3h (1d in the worst case) to update or remove packages.

and there is no urgency in upgrading these two dependencies.

Everything that is related to security is urgent. Please add app/console security:check to your CI and all of us (you as ORO company, we as consumers of your code) will never face this issue again.

Please, take it a little bit more seriously.

Thank you.

[mbessolov]

I see there is a number of people who voted for the previous message. Anyone willing to submit a PR?
Even though we do not use the vulnerable code in our products, we will prioritize this request higher if there is any substantiated interest.

[maks-rafalko]

Why did you change the title of this issue? I named it with "Security" word on purpose. I don't care about other dependencies in this PR, only about vulnerable ones.

Anyone willing to submit a PR?

IMO, it's better to prioritize this issue with your core team.

[pedrofurtado]

@mbessolov Is this issue still not a priority for the core team of Oro?

[mbessolov]

@pedrofurtado All issues are a priority. The relative prirority of this issue though, considering that it is not used in our products, is not high. These dependencies will definitely be upgraded in one of the next releases, but there is no urgency to do it.

[maks-rafalko]

-"zendframework/zend-mail": "2.4.0",
+"zendframework/zend-mail": "2.4.11",

solves the problem, we just forked ORO Platform.

Please reconsider your decision - resolve security issue in your dependencies and release a new tag.

---

All issues are a priority.

Many companies have Security Testing phase for their projects. The first thing I would do is to run app/console security:check. From your point of view, what should I tell as a developer to Security Team about those vulnerabilities?

We concluded that the vulnerable code is not used in our application, and there is no urgency in upgrading these two dependencies.

is not a professional answer

[mbessolov]

@borNfreee I'm not sure what you mean. Did you upgrade the zend-mail version and fixed all the email synchronization issues caused by this upgrade? If yes, why don't you open a pull request to contribute those fixes? You are more than welcome to do so.