2.1.1 Security bugfix relase
Installation instructions:
https://github.com/certtools/intelmq-manager/blob/2.1.1/docs/INSTALL.md
Bernhard Herzog (Intevation) discovered that the backend incorrectly handled messages given by user-input in the "send" functionality of the Inspect-tool of the Monitor component. An attacker with access to the IntelMQ Manager could possibly use this issue to execute arbitrary code with the privileges of the webserver.
Backend
- Fix misspelling of the environmental variable
INTELMQ_MANGER_CONTROLLER_CMDtoINTELMQ_MANAGER_CONTROLLER_CMD(an 'a' was missing). - Fix handling of POST variable
msgof the message-sending functionality available in the Inspect-tool.
Pages
Monitor
- Fix running commands with the "inspect" widget by fixing the definition of the
CONTROLLER_CMDin the template (PR #194).
Documentation
- Update supported operating systems in Installation documentation (i.a. PR #191).