Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

⏰ After getting a “New security vulnerability” email from security@openedx.org

...

Fix the vulnerability in a temporary private fork. Do not merge yet. [GitHub docs]

...

Post a release time in Security Announcements.

  1. Don’t post until you test your fix.

  2. Note: topics in Security Announcements are moderated. They may take a little time to appear publicly.

  3. Make the release time on a weekday at least 48 hours after your post.

  4. Template:

    1. Title:

      Code Block
      Security: Upcoming Security Release for {{repository_name}} on {{YYYY-MM-DD}}
    2. Body:

      Code Block
      **openedx/{{repository_name}}** version **{{version_number}}** will be released on [date={{YYYY-MM-DD}} time={{HH:MM:SS}} timezone="America/New_York"].
      
      It will fix one security defect with a "{{severity}}" [CVSS 3.1 severity rating](https://nvd.nist.gov/vuln-metrics/cvss).
      
      Details will be published here after release: [GitHub security advisory]({{github_security_advisory_url}}).
  5. Example:

    1. Title:

      Code Block
      Security: Upcoming Security Release for xblock-drag-and-drop-v2 on {{2023-01-24}}
    2. Body:

      Code Block
      **openedx/xblock-drag-and-drop-v2** version **3.0.0** will be released around [date=2023-01-24 time=12:00:00 timezone="America/New_York"].
      
      It will fix one security defect with a "high" [CVSS 3.1 severity rating](https://nvd.nist.gov/vuln-metrics/cvss).
      
      Details will be published here after release: [GitHub security advisory](https://github.com/advisories/GHSA-3244-8mff-w398).

Around release time, within a 2 hours window:

...

Merge temporary private fork. [GitHub docs]

...

PR and merge the fix to the active release branches:

  1. open-release/<current-release-name>.master

  2. open-release/<next-release-name>.master, if it already exists

  3. Find release-names in https://docs.google.com/spreadsheets/d/11DheEtMDGrbA9hsUvZ2SEd4Cc8CaC4mAfoV8SVaLBGI/edit

...

Link the PR(s) for the active release branches in #wg-build-test-release

  1. This way, BTR can take any actions needed to include your PR in releases.

...

Publish security advisory. [GitHub docs]

...

If this is a library, publish the new version to PyPI or NPM

Reply to your Security Announcements post with the PR URLs:

...

Template:

  1. Body:

    Code Block
    This security fix has been published.
    
    The fix has been merged to:
    
    * `{{main_branch}}`:
    {{main_branch_pr_url}}
    
    * `open-release/{{supported_named_release_1}}.master`:
    {{supported_named_release_1_pr_url}}
    
    * `open-release/{{supported_named_release_2}}.master`:
    {{supported_named_release_2_pr_url}}

Example:

Body:

...

See For maintainers.

🩹 Apply a security patch to a Python or NPM package

...