INEX is pleased to announce the immediate availability of IXP Manager v7.3.1. This is primarily a security release following a responsible disclosure from @9Bakabaka.
Release Summary
git --no-pager diff --shortstat v7.3.0
13 files changed, 266 insertions(+), 360 deletions(-)
Upgrade Instructions
The official upgrade instructions can be found here.
Security Advisory: Vulnerabilities Resolved in v7.3.1
Impact: High (Remote Code Execution)
Target Audience: All IXP Manager Administrators
Summary
We have released IXP Manager v7.3.1 to address a high-impact security vulnerability. All users are strongly urged to upgrade immediately.
Identified Issues
- Remote Code Execution (CVE-PENDING) (CVSS Base Severity: 9.9)
A confirmed vulnerability allows an authenticated user to achieve remote code execution on the server running IXP Manager. The CVSS Base score is 9.9 (Critical). This was responsibly disclosed via GitHub's Security Advisories platform
Remediation
The vulnerability is addressed in this v7.3.1 release. Please upgrade to v7.3.1 as soon as possible.
Acknowledgments
We would like to sincerely thank @9Bakabaka for responsibly disclosing this issue, and for the detailed report which accompanied their disclosure.
Other Improvements
- Refactoring markdown mailable classes.
Bug Fixes
- A crash on the contact information page was fixed.
- The API key view page now shows the token identifier and description.