New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SECURITY: two privilege escalation from regular user to root #1921
Comments
|
I'm following the outcome of this story |
|
we need info about how to fix it... |
|
Alright, issues are now fixed in master but a new release has not been bumped yet, so... |
|
|
@cyrus-and Can you link to the fixing commits please? |
|
@attritionorg they're in the writeups, see the timeline. |
|
@cyrus-and my apologies, I thought those were just announcing the CVE assignments. thanks! |
|
Good job, this was fixed in the latest release version? |

(Sorry for the dramatic subject.)
Well, it's really disappointing and unprofessional to come to this...
Two months ago (2019-05-28) I disclosed two privilege escalation vulnerabilities to info@vestacp.com (and eventually also to dev@vestacp.com and skid@vestacp.com), I obtained no useful replies or actions so I'm trying to reach a wider audience by opening an issue here (and no, I won't join the forum).
As today the two vulnerabilities are still undisclosed as I fairly believe that a responsible disclosure approach is the right way to go. Yet we're pushing the boundaries here and I don't think the maintainers are being respectful of the userbase.
So this is my last attempt to get these issues fixed, after that I will disclose them anyway, fixed or not. Users having write access to this repo can reach me privately for details, it's even better if they reply to the original message sent to the above @vestacp.com addresses, provided that they're allowed to do that.
The text was updated successfully, but these errors were encountered: