Re: Proposed release of the Composer security audit report

Home Messages Hashtags Subgroups Calendar

Nathan George <nathan.george@...> #2045 +1 toggle quoted messageShow quoted text On Wed, Feb 20, 2019 at 2:02 PM binh nguyen <binh1010010110@...> wrote: +1 to both. Thanks Binh On Tue, Feb 19, 2019 at 5:19 PM Dave Huseby <dhuseby@...> wrote: Hello TSC, The time has come for the TSC to approve the release of the Composer audit report. The Composer audit done by Nettitude found a total of five issues, 2 medium risk, 2 low risk, and 1 data leakage notice. The first of the medium risk errors was simple to fix. Credentials for logging into blockchain instances were stored in world-readable files instead of only user-readable files. The second of the medium risk errors was the playground server accepting connections from any source IP address. This was solved by changing the code to bind to the loopback interface. The other issues were about accepting non-TLS connections and leaking unnecessary information in log error messages. Now that all of the issues of medium or higher have been fixed, it is time to publish the report and announce it. As always, if you are a member of the TSC and would like to read the reports before approving them, please email me directly and I will arrange for you to receive a copy. Cheers! Dave --- David Huseby Security Maven, Hyperledger The Linux Foundation +1-206-234-2392 dhuseby@... --- David Huseby Security Maven, Hyperledger The Linux Foundation +1-206-234-2392 dhuseby@...
More All Messages By This Member

Join toc@lists.hyperledger.org to automatically receive all group messages.