Quantcast

How to see security fixes

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

How to see security fixes

Devinim Koha Development Team
Hi all,

How can we see the fixes of security bugs?

We've faced with a vulnerability with Bug# 16969 in a new version, but
it's said that it was fixed in 3.22.10.


Thanks.

Devinim Koha Dev. Team

_______________________________________________
Koha-devel mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to see security fixes

Chris Cormack-7
Hi,

Normally once they are released the release maintainer shifts them out of security. That one got missed, shifted now

Chris

On 14 March 2017 9:13:51 PM NZDT, Devinim Koha Development Team <[hidden email]> wrote:
Hi all,

How can we see the fixes of security bugs?

We've faced with a vulnerability with Bug# 16969 in a new version, but
it's said that it was fixed in 3.22.10.


Thanks.

Devinim Koha Dev. Team



Koha-devel mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
_______________________________________________
Koha-devel mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to see security fixes

Devinim Koha Development Team

Hi all,

In the opac-memberentry.pl authnotrequired area is 1 by default, in that case, user information can be reached without given a user authentication

and this can lead some vulnerabilites, do we miss something? We were not able to understand why it is 1 by default?

Thanks.

On 14-03-2017 11:33, Chris Cormack wrote:
Hi,

Normally once they are released the release maintainer shifts them out of security. That one got missed, shifted now

Chris

On 14 March 2017 9:13:51 PM NZDT, Devinim Koha Development Team [hidden email] wrote:
Hi all,

How can we see the fixes of security bugs?

We've faced with a vulnerability with Bug# 16969 in a new version, but 
it's said that it was fixed in 3.22.10.


Thanks.

Devinim Koha Dev. Team


Koha-devel mailing list [hidden email] http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
-- Sent from my Android device with K-9 Mail. Please excuse my brevity.

_______________________________________________
Koha-devel mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to see security fixes

Jonathan Druart
Hi,

authnotrequired is set to 1 because opac-memberentry.pl is also used by the self registration feature.
The patron information displayed is based on the logged in user, not a parameter passed to the script.

Everything looks ok to me.

Regards,
Jonathan

On Wed, 15 Mar 2017 at 12:18 Devinim Koha Development Team <[hidden email]> wrote:

Hi all,

In the opac-memberentry.pl authnotrequired area is 1 by default, in that case, user information can be reached without given a user authentication

and this can lead some vulnerabilites, do we miss something? We were not able to understand why it is 1 by default?

Thanks.

On 14-03-2017 11:33, Chris Cormack wrote:
Hi,

Normally once they are released the release maintainer shifts them out of security. That one got missed, shifted now

Chris

On 14 March 2017 9:13:51 PM NZDT, Devinim Koha Development Team [hidden email] wrote:
Hi all,

How can we see the fixes of security bugs?

We've faced with a vulnerability with Bug# 16969 in a new version, but 
it's said that it was fixed in 3.22.10.


Thanks.

Devinim Koha Dev. Team


Koha-devel mailing list [hidden email] http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
-- Sent from my Android device with K-9 Mail. Please excuse my brevity.
_______________________________________________
Koha-devel mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

_______________________________________________
Koha-devel mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to see security fixes

Devinim Koha Development Team

Hi,

In that case we can reach the user detailed information without giving a password by curl.

If you want we can share the code how to get this information without authentication, from this list.


On 15-03-2017 18:50, Jonathan Druart wrote:
Hi,

authnotrequired is set to 1 because opac-memberentry.pl is also used by the self registration feature.
The patron information displayed is based on the logged in user, not a parameter passed to the script.

Everything looks ok to me.

Regards,
Jonathan

On Wed, 15 Mar 2017 at 12:18 Devinim Koha Development Team <[hidden email]> wrote:

Hi all,

In the opac-memberentry.pl authnotrequired area is 1 by default, in that case, user information can be reached without given a user authentication

and this can lead some vulnerabilites, do we miss something? We were not able to understand why it is 1 by default?

Thanks.

On 14-03-2017 11:33, Chris Cormack wrote:
Hi,

Normally once they are released the release maintainer shifts them out of security. That one got missed, shifted now

Chris

On 14 March 2017 9:13:51 PM NZDT, Devinim Koha Development Team [hidden email] wrote:
Hi all,

How can we see the fixes of security bugs?

We've faced with a vulnerability with Bug# 16969 in a new version, but 
it's said that it was fixed in 3.22.10.


Thanks.

Devinim Koha Dev. Team


Koha-devel mailing list [hidden email] http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
-- Sent from my Android device with K-9 Mail. Please excuse my brevity.
_______________________________________________ Koha-devel mailing list [hidden email] http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
_______________________________________________
Koha-devel mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

_______________________________________________
Koha-devel mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to see security fixes

Stefano Bargioni
Uh..., probably it is not so good to publish security issues on a public list.
The official way is
if I'm not wrong.
sb

On 15 Mar 2017, at 16:57, Devinim Koha Development Team <[hidden email]> wrote:

Hi,

In that case we can reach the user detailed information without giving a password by curl.

If you want we can share the code how to get this information without authentication, from this list.


On 15-03-2017 18:50, Jonathan Druart wrote:
Hi,

authnotrequired is set to 1 because opac-memberentry.pl is also used by the self registration feature.
The patron information displayed is based on the logged in user, not a parameter passed to the script.

Everything looks ok to me.

Regards,
Jonathan

On Wed, 15 Mar 2017 at 12:18 Devinim Koha Development Team <[hidden email]> wrote:

Hi all,

In the opac-memberentry.pl authnotrequired area is 1 by default, in that case, user information can be reached without given a user authentication

and this can lead some vulnerabilites, do we miss something? We were not able to understand why it is 1 by default?

Thanks.

On 14-03-2017 11:33, Chris Cormack wrote:
Hi,

Normally once they are released the release maintainer shifts them out of security. That one got missed, shifted now

Chris

On 14 March 2017 9:13:51 PM NZDT, Devinim Koha Development Team [hidden email] wrote:
Hi all,

How can we see the fixes of security bugs?

We've faced with a vulnerability with Bug# 16969 in a new version, but 
it's said that it was fixed in 3.22.10.


Thanks.

Devinim Koha Dev. Team


Koha-devel mailing list [hidden email] http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
-- Sent from my Android device with K-9 Mail. Please excuse my brevity.
_______________________________________________ Koha-devel mailing list [hidden email] http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
_______________________________________________
Koha-devel mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
_______________________________________________
Koha-devel mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/


_______________________________________________
Koha-devel mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to see security fixes

Devinim Koha Development Team
Hi,
We have sent the code to the Jonathan Druart as he wanted
and we can get all info without authorization even in 3.20.x, hence it should be fixed ASAP.

Best regards,
Devinim Koha Development Team

On 15-03-2017 19:17, Stefano Bargioni wrote:
Uh..., probably it is not so good to publish security issues on a public list.
The official way is
if I'm not wrong.
sb

On 15 Mar 2017, at 16:57, Devinim Koha Development Team <[hidden email]> wrote:

Hi,

In that case we can reach the user detailed information without giving a password by curl.

If you want we can share the code how to get this information without authentication, from this list.


On 15-03-2017 18:50, Jonathan Druart wrote:
Hi,

authnotrequired is set to 1 because opac-memberentry.pl is also used by the self registration feature.
The patron information displayed is based on the logged in user, not a parameter passed to the script.

Everything looks ok to me.

Regards,
Jonathan

On Wed, 15 Mar 2017 at 12:18 Devinim Koha Development Team <[hidden email]> wrote:

Hi all,

In the opac-memberentry.pl authnotrequired area is 1 by default, in that case, user information can be reached without given a user authentication

and this can lead some vulnerabilites, do we miss something? We were not able to understand why it is 1 by default?

Thanks.

On 14-03-2017 11:33, Chris Cormack wrote:
Hi,

Normally once they are released the release maintainer shifts them out of security. That one got missed, shifted now

Chris

On 14 March 2017 9:13:51 PM NZDT, Devinim Koha Development Team [hidden email] wrote:
Hi all,

How can we see the fixes of security bugs?

We've faced with a vulnerability with Bug# 16969 in a new version, but 
it's said that it was fixed in 3.22.10.


Thanks.

Devinim Koha Dev. Team


Koha-devel mailing list [hidden email] http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
-- Sent from my Android device with K-9 Mail. Please excuse my brevity.
_______________________________________________ Koha-devel mailing list [hidden email] http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
_______________________________________________
Koha-devel mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
_______________________________________________ Koha-devel mailing list [hidden email] http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
_______________________________________________
Koha-devel mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

_______________________________________________
Koha-devel mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to see security fixes

Devinim Koha Development Team

BTW,

We have created this bug as #18275.  We didnot put the script how to crawl the data on the bug.


On 15-03-2017 19:27, Devinim Koha Development Team wrote:
Hi,
We have sent the code to the Jonathan Druart as he wanted
and we can get all info without authorization even in 3.20.x, hence it should be fixed ASAP.

Best regards,
Devinim Koha Development Team

On 15-03-2017 19:17, Stefano Bargioni wrote:
Uh..., probably it is not so good to publish security issues on a public list.
The official way is
if I'm not wrong.
sb

On 15 Mar 2017, at 16:57, Devinim Koha Development Team <[hidden email]> wrote:

Hi,

In that case we can reach the user detailed information without giving a password by curl.

If you want we can share the code how to get this information without authentication, from this list.


On 15-03-2017 18:50, Jonathan Druart wrote:
Hi,

authnotrequired is set to 1 because opac-memberentry.pl is also used by the self registration feature.
The patron information displayed is based on the logged in user, not a parameter passed to the script.

Everything looks ok to me.

Regards,
Jonathan

On Wed, 15 Mar 2017 at 12:18 Devinim Koha Development Team <[hidden email]> wrote:

Hi all,

In the opac-memberentry.pl authnotrequired area is 1 by default, in that case, user information can be reached without given a user authentication

and this can lead some vulnerabilites, do we miss something? We were not able to understand why it is 1 by default?

Thanks.

On 14-03-2017 11:33, Chris Cormack wrote:
Hi,

Normally once they are released the release maintainer shifts them out of security. That one got missed, shifted now

Chris

On 14 March 2017 9:13:51 PM NZDT, Devinim Koha Development Team [hidden email] wrote:
Hi all,

How can we see the fixes of security bugs?

We've faced with a vulnerability with Bug# 16969 in a new version, but 
it's said that it was fixed in 3.22.10.


Thanks.

Devinim Koha Dev. Team


Koha-devel mailing list [hidden email] http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
-- Sent from my Android device with K-9 Mail. Please excuse my brevity.
_______________________________________________ Koha-devel mailing list [hidden email] http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
_______________________________________________
Koha-devel mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
_______________________________________________ Koha-devel mailing list [hidden email] http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
_______________________________________________
Koha-devel mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
_______________________________________________
Koha-devel mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

_______________________________________________
Koha-devel mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Loading...