Security issues are typically handled differently than regular bugs to try to reduce visibility. To get a security fix into Sakai do the following.
- Get access to the security list and security JIRA work group https://confluence.sakaiproject.org/display/SECWG/Security+Policy by emailing the contact on that page
- Submit a JIRA ticket with security issue indicated (it's a dropdown box) detailing the security issue
- When fixing the issue, either:
- Request access to private GitHub repo https://github.com/sakaiproject/sakai-security and submit a pull request.
- Make sure you push your branch to the (private) sakai-security repo rather than your (public) origin
- The pull request should only have the SAK/KNL/etc number, no additional comments about what was fixed
- If you are unable to submit a pull request, add a diff against the JIRA ticket
- Request access to private GitHub repo https://github.com/sakaiproject/sakai-security and submit a pull request.
- Pull requests and new issues are generally reviewed and merged at the next Security WG or Core Team meeting prior to the next minor release of Sakai.
- For high priority issues email the security list directly