-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security vulnerabilities announced #300
Comments
+1 |
This is the first communication I've received regarding the issue. Will look into this immediately. |
Henri, you are a gentleman for posting a ticket here where anyone active on the project see it. Thank you! In answer to your questions (as far as I know):
|
The disclosed issues have now been fixed. I've written a wiki page to provide more details - https://github.com/fatfreecrm/fat_free_crm/wiki/Fixing-security-vulnerabilities-(27th-Dec-2013) and announced on the Fat Free CRM Users list |
I can request CVE identifiers for these issues. Thank you for reacting quickly. |
CVEs requested http://www.openwall.com/lists/oss-security/2013/12/28/1 |
CVEs have been assigned. Few comments from Mitre too. Could you please answer.
Comments below:
|
Thanks, replied. |
CVE-2013-7249 also assigned for the to_xml variant of CVE-2013-7224 |
Just to be sure, because I do not see it obviously covered: |
Yup, this isn't covered by the CVE directly as it wasn't mentioned in the However, it's definitely being addressed as part of a wider audit. This We'll have another code update in a few days and documentation to help Regards, On Sat, Jan 4, 2014 at 12:09 AM, vsiegel notifications@github.com wrote:
|
In case you missed it, the 2nd security advisory has been released. I'm going to close this issue now. https://github.com/fatfreecrm/fat_free_crm/wiki/Fixing-security-vulnerabilities-%287th-jan-2014%29 |
For details please see: http://seclists.org/fulldisclosure/2013/Dec/199
Are these issues already fixed in some version? If not, do you have a plan already?
Are these issues tracked in some issue tracker?
Have you requested CVE identifiers for these security updates?
The text was updated successfully, but these errors were encountered: