Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

This ticket contains an incorrect report and a clickbait title [EDITED by @tasn] #123

Closed
BirdInFire opened this issue Mar 17, 2022 · 6 comments
Closed

This ticket contains an incorrect report and a clickbait title [EDITED by @tasn] #123

BirdInFire opened this issue Mar 17, 2022 · 6 comments

Comments

@BirdInFire
Copy link

BirdInFire commented Mar 17, 2022
edited

Please do your security update and stop hiding youself behind "it's work from decade blabla":

One proof your app isn't secure anymore since long one of the requirement of YOUR app :

Will just take the exemple of django because since you don't secure your app don't try to bullshit me with your "it work like decade" :

you use : django==3.1.4

So i go see their changelog to see all security fix you don't HAVE and put the USERS WHO PAY YOU at risk :

Django 3.1.6 fixes a security issue with severity “low” and a bug.
Django 3.1.7 fixes a security issue and a bug
Django 3.1.8 fixes a security issue with severity “low” and a bug
Django 3.1.9 fixes a security issue
Django 3.1.10 fixes a security issue
Django 3.1.12 fixes two security issues
Django 3.1.13 fixes a security issue with severity “high”
Django 3.1.14 fixes a security issue with severity “low”
Django 3.2.1 fixes a security issue and several bugs
Django 3.2.2 fixes a security issue and a bug
Django 3.2.4 fixes two security issues and several bugs
Django 3.2.5 fixes a security issue with severity “high” and several bugs
Django 3.2.10 fixes a security issue with severity “low” and a bug
Django 3.2.11 fixes one security issue with severity “medium” and two security issues with severity “low”
Django 3.2.12 fixes two security issues with severity “medium”
Django 4.0.1 fixes one security issue with severity “medium”, two security issues with severity “low”, and several bugs
Django 4.0.2 fixes two security issues with severity “medium” and several bugs

And since the main framework you use on server isn't updated, and the fact that ios and other isn't updated 3 conclusion are possible.

  1. you don't know a thing about security, you stop sleeping and at least patch CVE...
  2. you don't care and only want money without maintaining this and you aren't a good guy...
  3. the dev have abandonned this and all other member are to lazy to maintain it...

In the 3 cases, this services is dead since it cannot provide the best security for his user.
@BirdInFire
Copy link
Author

BirdInFire commented Mar 17, 2022
edited

if i'm this harsh to you it's because i would like to use this service, but there is so many vulnerability i would be crazy to use it as it is now.
If i didn't care i would just have ignored the issue, you all member maybe time to correct this problem ?

Or you don't care about the project ?

Or maybe 25 Security issue only in your Django version isn't enough to you to understand that this project is abandoned or not updated correctly ?

@BirdInFire BirdInFire mentioned this issue Mar 17, 2022
Closed
@tasn
Copy link
Member

tasn commented Mar 17, 2022
edited

@BirdInFire, I respect that, and following your comments we'll probably update django just for appearances, though it's important to state: we only use the Django ORM so we are NOT AFFECTED by most of these reports just based on that. Our API is powered by FastAPI.
We also use Django 3.2 LTS and are two micro versions (3.2.12 vs 3.2.10) behind the latest release.

As for the rest, we closely monitor security advisories for all of our deps and make sure that we are not affected.

Edit: I understand the confusion, it looks like the hosted server was up to date, but we neglected to update the OSS deps. Let me be clear though: the above still applies. We are not affected by any of those.

@tasn tasn changed the title Not updated, not secured, nightmare !! update your library !!!! This ticket contains an incorrect report and a clickbait title [EDITED by @tasn] Mar 17, 2022
tasn added a commit that referenced this issue Mar 17, 2022
@tasn
Deps: update django dep.
056d685 
This is in response to reports in #123. There are no security issues
affecting Etebase, but people still misunderstood the reports so updating
to make sure that it's clear.

More info:
#123
@tasn
Copy link
Member

tasn commented Mar 17, 2022

Updated django to latest LTS. Though as I said, we were not affected by any of these.

@tasn tasn closed this as completed Mar 17, 2022
@victor-rds victor-rds mentioned this issue Mar 17, 2022
Closed
@victor-rds
Copy link
Contributor

@tasn could you release a new version tag? I want to try a way to automate the docker image update

@tasn
Copy link
Member

tasn commented Mar 17, 2022

Yes, gimme one sec.

@tasn
Copy link
Member

tasn commented Mar 17, 2022

Done.

@victor-rds victor-rds mentioned this issue Mar 23, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tasn @victor-rds @BirdInFire