Security News
RubyGems.org Adds New Maintainer Role
RubyGems.org has added a new "maintainer" role that allows for publishing new versions of gems. This new permission type is aimed at improving security for gem owners and the service overall.
Security News
Sarah Gooding
September 9, 2024
The Python Software Foundation is expanding its scope as a CVE Numbering Authority (CNA) to include the Pallets Projects, a collection of popular frameworks like Flask, Jinja, Click, and Quart.
PSF is a relatively newly minted CNA, having gained the authority to assign and manage CVE IDs and records for Python and pip in August 2023. The expanded scope brings the seven Pallets core libraries under the same umbrella for vulnerability records management:
(Note: This excludes distributions of Python, pip, and Pallets projects maintained by third-party distributors.)
Pallets was modeled after the success of the JazzBand organization, which distributes the responsibility of maintaining popular Django-related projects across a community of contributors. Pallets is a similar concept, albeit a separate community, that aims to create a sustainable group of maintainers and contributors.
Pallets Projects are central to thousands of Python web applications, and this move signals a strong commitment to improving the open source security landscape for developers. With frameworks like Flask and Jinja being widely adopted across industries, bringing them under the PSF's CNA umbrella ensures more consistent and transparent vulnerability reporting.
PSF identified a number of other benefits that projects receive by being part of their CNA scope:
The inclusion of Pallets Projects means developers using these frameworks will have access to faster and more reliable CVE tracking. This move aligns with PSF’s broader goals of improving the vulnerability response processes of critical projects in the Python ecosystem.
As frameworks like Flask and Jinja are used in both small and large-scale applications, their vulnerability status directly impacts web security at scale. This is particularly important for organizations working with sensitive data or facing stringent security requirements, such as those in finance, healthcare, or government.
The success of this newly expanded CNA scope relies on PSF's ability to effectively manage CVE assignments through continued collaboration with project maintainers to ensure timely and accurate vulnerability reporting. This is a greater burden on the foundation but has the potential to significantly strengthen the security of critical Python libraries. It may also encourage other open source projects to follow suit in adopting standardized vulnerability reporting practices. In November 2023, the PSF published a guide that open source projects can follow, titled Becoming a CVE Numbering Authority.
The move reflects a growing recognition of the critical role that web frameworks play in modern application development and the need for streamlined, professional-grade security processes to support them. It addresses the often-overlooked challenge of maintaining security in popular open-source tools, which are frequently relied upon by enterprises and startups alike but may lack the resources for comprehensive security management.
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Security News
RubyGems.org has added a new "maintainer" role that allows for publishing new versions of gems. This new permission type is aimed at improving security for gem owners and the service overall.
Security News
Node.js will be enforcing stricter semver-major PR policies a month before major releases to enhance stability and ensure reliable release candidates.
Security News
Research
Socket's threat research team has detected five malicious npm packages targeting Roblox developers, deploying malware to steal credentials and personal data.