[Fiware-fic3-coaching] Fi-ware Keyrock : Security point.

[Franck Le Gall]

Hello,

Answer we got from Joaquín Salvachúa is that they are going to deploy in the next weeks a new versión based on Python and different Openstack Keystone components. So this ruby versión  will be outdated.

Franck

De : fiware-fic3-coaching-bounces at lists.fi-ware.org [mailto:fiware-fic3-coaching-bounces at lists.fi-ware.org] De la part de Franck Le Gall
Envoyé : jeudi 2 avril 2015 16:59
À : fiware-fic3-coaching at lists.fi-ware.org
Objet : [Fiware-fic3-coaching] Fi-ware Keyrock : Security point.



De : Jérémy Harris
Envoyé : mardi 24 mars 2015 09:57
À : Franck Le Gall; thomas.van.der.auwermeulen at vub.ac.be<mailto:thomas.van.der.auwermeulen at vub.ac.be>; vincent LEROY
Objet : Fi-ware Keyrock : Security point.

Dear Mr. Le Gall,

I'm Jeremy Harris, working for Neveo which is supported by Fi-C3.
You were recommended by Thomas Van Der Auwermeulen to help with our issue.

We currently have an issue with the Keyrock integration. In short, we noticed that install Keyrock on our server present some security risk. I add an attachment file with the detail of the problem.

There is a problem with KeyRock Identity Management framework from Fi-Ware.

KeyRock uses quite outdated versions of Ruby programming language (1.9.3),
and Ruby on Rails framework (3.2.14). Both of those have a pretty big list of known
security vulnerabilities:

  1.  http://www.cvedetails.com/vulnerability-list/vendor_id-7252/product_id-12215/version_id-136531/Ruby-lang-Ruby-1.9.3.html
  2.  http://www.cvedetails.com/vulnerability-list/vendor_id-12043/product_id-22568/version_id-153894/Rubyonrails-Ruby-On-Rails-3.2.14.html



At the same time, i'm contacting other Keyrock specialist (only 2 found on the internet) to get more information.

Best Regards,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.fiware.org/private/fiware-fic3-coaching/attachments/20150402/fbbf145b/attachment.html>