Table of Contents | ||||
---|---|---|---|---|
|
⏰ After getting a “New security vulnerability” email from security@openedx.org
Fix the vulnerability in a temporary private fork. Do not merge yet. [GitHub docs]
Post a release time in Security Announcements.
Don’t post until you test your fix.
Note: topics in Security Announcements are moderated. They may take a little time to appear publicly.
Make the release time on a weekday at least 48 hours after your post.
Template:
Title:
Code Block Security: Upcoming Security Release for {{repository_name}} on {{YYYY-MM-DD}}
Body:
Code Block **openedx/{{repository_name}}** version **{{version_number}}** will be released on [date={{YYYY-MM-DD}} time={{HH:MM:SS}} timezone="America/New_York"]. It will fix one security defect with a "{{severity}}" [CVSS 3.1 severity rating](https://nvd.nist.gov/vuln-metrics/cvss). Details will be published here after release: [GitHub security advisory]({{github_security_advisory_url}}).
Example:
Title:
Code Block Security: Upcoming Security Release for xblock-drag-and-drop-v2 on {{2023-01-24}}
Body:
Code Block **openedx/xblock-drag-and-drop-v2** version **3.0.0** will be released around [date=2023-01-24 time=12:00:00 timezone="America/New_York"]. It will fix one security defect with a "high" [CVSS 3.1 severity rating](https://nvd.nist.gov/vuln-metrics/cvss). Details will be published here after release: [GitHub security advisory](https://github.com/advisories/GHSA-3244-8mff-w398).
Around release time, within a 2 hours window:
Merge temporary private fork. [GitHub docs]
PR and merge the fix to the active release branches:
open-release/<current-release-name>.master
open-release/<next-release-name>.master
, if it already existsFind
release-name
s in https://docs.google.com/spreadsheets/d/11DheEtMDGrbA9hsUvZ2SEd4Cc8CaC4mAfoV8SVaLBGI/edit
Link the PR(s) for the active release branches in #wg-build-test-release
This way, BTR can take any actions needed to include your PR in releases.
Publish security advisory. [GitHub docs]
If this is a library, publish the new version to PyPI or NPM
Reply to your Security Announcements post with the PR URLs:
Template:
Body:
Code Block This security fix has been published. The fix has been merged to: * `{{main_branch}}`: {{main_branch_pr_url}} * `open-release/{{supported_named_release_1}}.master`: {{supported_named_release_1_pr_url}} * `open-release/{{supported_named_release_2}}.master`: {{supported_named_release_2_pr_url}}
Example:
Body:
Code Block This security fix has been published. The fix has been merged to: * `master`: https://github.com/openedx/edx-platform/pull/31353 * `open-release/nutmeg.master`: https://github.com/openedx/edx-platform/pull/31354 * `open-release/olive.master`: https://github.com/openedx/edx-platform/pull/31353
...