Clarifications on security vulnerability process

[nezdolik]

Hi, is there is a security vulnerability reporting process for this project? Are vulnerabilities reported privately or in public?
Some context: Envoyproxy is considering to add Maxmind based geolocation filter as core dependency, and for that libmaxminddb needs to be evaluated against a list of criteria. Existence of security vulnerability process is one of such criteria.

[nezdolik]

I may need help with clearing out few more criteria for libmaxminddb in the list. Mainly below ones:

• Tests run in CI
• High test coverage (also static/dynamic analysis, fuzzing)
• Envoy can obtain advanced notification of vulnerabilities or of security releases
• Do other significant projects have shared fate by using this dependency? (Here from my research Nginx and Apache Traffic server have geoip2 modules/plugins based on this project)

Please let me know if I should create separate issue per each criteria

[oschwald]

Hi! Thanks for contacting us about this:

is there is a security vulnerability reporting process for this project? Are vulnerabilities reported privately or in public?

We do not currently have a separate security reporting process. Security issues are currently reported here or via support@maxmind.com.

Tests run in CI

Yes, our tests run in CI.

High test coverage

I don't have the current coverage percentage, but they were high in the past and I believe them to still be high.

static/dynamic analysis, fuzzing

As you can see from the workflows I linked to, we currently run the tests with Clang's AddressSanitizer enabled. We also run Clang's static analysis and GitHub's CodeQL against the code. We also run afl-fuzz on the code, in particular when making more significant changes.

Envoy can obtain advanced notification of vulnerabilities or of security releases

We do not currently have a process for notifying third parties. Most reported security issues are fixed as soon as possible. See, e.g., 1, 2, 3

Do other significant projects have shared fate by using this dependency?

There are many projects that either use libmaxminddb directly or that have extensions or modules that use it. Here are a few based on reverse dependencies in Debian:

• bind9
• wireshark-common
• trafficserver
• syslog-ng-mod-geoip2
• suricata
• proftpd-mod-geoip2
• prelude-manager
• pmacct
• pdns-backend-geoip
• ocserv
• ntopng
• mailfromd
• logswan
• lighttpd-mod-maxminddb
• libpam-geoip
• libmodsecurity3
• knot-module-geoip
• kamailio-geoip2-modules
• inspircd
• goaccess
• gdnsd
• libnginx-mod-stream-geoip2
• libnginx-mod-http-geoip2

There are many hundreds of more, particularly once you count indirect reverse dependencies via things like geoip2 and maxminddb in Python.

[nezdolik]

Thanks for detailed response @oschwald

[oschwald]

It appears your questions have been answered. I am going to close out this issue. Please let me know if you have any follow-up questions.