2022-05-05 Meeting notes

5-10 min

Spring RCE vulnerability

All

See https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

• FOLSPRINGB-47: Spring4Shell: spring-beans RCE Vulnerability (CVE-2022-22965)ClosedPreview

• @Julian Ladisch is writing a script to check for vulnerable modules

• A message/update was posted to #sys-ops:  https://folio-project.slack.com/archives/C9BBWRCNB/p1648740057373649?thread_ts=1648728230.119219&cid=C9BBWRCNB

• @Julian Ladisch has created a few JIRAs for this – he's still working on this.

• He also wrote a script to list the affected modules - runs periodically

• The edge modules are probably the most critical - 3 of them are affected.  The related POs are aware.

• Should these fixes be backported to Kiwi?

  • Prevailing thought is that it should since Kiwi is the latest release and Lotus isn't official yet.

  • @Craig McNally will communicate this recommendation to the Capacity Planning group, and possibly Oleksii Petrenko.

  • Additional communication will be made once the path forward is clear.

Today:

• Discussed with Mark V. Harry K, and Oleksii P. - Aiming for Lotus (HF) and Morning Glory.

• Still confusion about how many releases need to be supported, LTS, etc. 

• Note that this is a P3, if it were a P1/P2 the decision might have been different.

Official security support policy on releases

Security team needs

• How many releases from now has to be supported? (3-4 releases or less?)

• Priority/Risk will likely factor into this as well.

• Also a matter of capacity

• Should be raised to the PC → Axel can bring this with a paper/proposal to the PC - not yet.

• Probably want to bring this to the TC as well at some point, even if only for awareness.

• WOLFcon session?

• Axel will produce a paper that outlines that problem by next weeks meeting.

• Chris to ask his stakeholders about TAMU needs - not specifically, but has started to have some conversations

5 min

Update on FOLIO-3317: Spike - investigate possible file upload vulnerabilityOpenPreview 

Axel

• @Axel Dörrer Should be removed from week to week agenda and Axel will monitor for progress and report back

• MODEUS-139 has been moved to the next sprint

• @Axel Dörrer  waiting to hear back from Ann-Marie B. about the data-import ticket ... maybe target Nolana?

Today:

5-10 min

RMB-902: Reject tenant with invalid characters and possibly sanitizeOpenPreview

OKAPI-1081: Reject invalid tenant idsClosedPreview

Team

Notes from previous weeks:

Discussions are ongoing, currently blocked on a decision being made.

• Document the options on the wiki to facilitate these discussions and the decision making process.

  • @Julian Ladisch to take this on.

• By this group?  By the TC?

• How do we constrain the module names?  If so, where/how?

  • Various restrictions:  Postgres, Hosting infrastructure (Kubernetes/ECS/etc.)

• What about the tenantId restrictions?

  • Also part of the above discussion/decision.

• Some design choices have been suggested.

  • See Tenant Id and Module Name Restrictions

  • Security team to review on their own and ask questions as needed.

Today:

5-10 min

STCLI-190: Update dependencies (CVE-2021-3807)ClosedPreview

Team

Notes from previous weeks:

There's a PR that hasn't' moved in a while... What's the status?  How do we move this forward?

• @Ryan Berger / @John Coburn to help push this along.

Was there another PR against stripes-testing?

• ui-test:94 Was merged, a problem was reported, leading to this being reverted.

• Appears to be an environmental problem.  

• The JIRA is now unassigned... it isn't clear who has the ball here.

• Added a comment to STCLI-190 tagging Khalilah, Ryan, and Zak

• This PR has been reverted because of issues with the included changes of kopy version. The idea is to exclude the kopy changes by now to move forward with this.

• Last week:  

  • No movement, but a PR should be coming soon.

Today:

*

Review the Kanban board. 

Team