Potential security issue #95
Comments
|
@jdkizer9 yes, I also have commit rights. I can't deploy at this time (maybe that will change). You can reach me at jasonsheld at gmail dot com. |
|
Thanks @jheld, email sent |
|
Hi @jheld any updates on this? |
|
Emails just crossed! Thank you for checking in though.
…On Thu, Jun 13, 2019, 5:12 PM James Kizer ***@***.***> wrote:
Hi @jheld <https://github.com/jheld> any updates on this?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#95?email_source=notifications&email_token=AAGKLDIJZELRNERJG3PE2HLP2KZ5FA5CNFSM4HXASRLKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODXVBQCQ#issuecomment-501880842>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAGKLDKTENT3IZFXTU4BN53P2KZ5FANCNFSM4HXASRLA>
.
|
|
@jheld any update on this security risk? |
|
Hi all, I haven't vetted the MR for it yet. I think there may have been one... I will recheck my email. |
|
What do you mean by MR, sorry? |
|
Hi @jheld, Has there been any progress on this? I've been working through this app's code before we consider deploying it to a production system and we've found one or two security problems that are quite dangerous but could be easily patched. Is anyone working on a PR/MR for them? If not can I send a report to someone, or would you rather I just make a PR/MR? P.S. @s-i-l-k-e MR = Merge Request (gitlab's equivalant of a github's Pull Request) |
|
@s-i-l-k-e Hi, sorry I didn't mean to use MR! @jdkizer9 I think you had a solution written out (maybe a PR? definitely a fork). I have had 0 time to vet any solution to the specific issue in this...issue, so at this point, why not merge it if it's working? :) and @uostimb yes thank you for the jargon help! In terms of when we would merge a change, I want to make sure that the current release candidate of this project gets a +1 from someone (most likely my company). My company isn't yet on django 3.0, but that's what the release is intending to do -- support django 3.0. I also have a bug #119 that I need to get merged so no reason we cannot fix 2 bugs in the next minor/patch release. So to review, once we/I cut the official release of this project (dropping the rc tag), let's plan to get this stuff fixed. As far as any security issues, @uostimb please email me (and maybe @jdkizer9 too) at my email listed near the first comments on this issue . Good to get some eyes on this, and really this sort of stuff happening makes me think I should setup a project email or something to make the security & support policy more clear/official. I will be fairly unavailable for the weekend and beginning of next week. I think I'll be able to cut the official current release on Wednesday after doing some smoke-tests, and then we're set to get stuff in again. |
|
@jheld @soynatan I've just sent you an email with a description of the problem, examples and repro steps, links to the problematic lines and code with proposed solutions. @jdkizer9 apologies I couldn't find your email address, but if you want to email me at " github at timboss com " I'm happy to check if we found the same problems and same proposed solutions. Let me know if anyone needs anything else, these issues really do need patching ASAP! |
|
I have cut the official release and started the new release 1.2.1rc1 which so far has 1 bug fix. The window will be open for a little bit. |
|
Hi all,
Sorry, been swamped with some things. @uostimb, digging through my email for the description of the issue, but I’ll send it over ASAP.
… On Jan 17, 2020, at 5:35 PM, uostimb ***@***.***> wrote:
@jheld <https://github.com/jheld> @soynatan <https://github.com/soynatan> I've just sent you an email with a description of the problem, examples and repro steps, links to the problematic lines and code with proposed solutions.
@jdkizer9 <https://github.com/jdkizer9> apologies I couldn't find your email address, but if you want to email me at " github at timboss com " I'm happy to check if we found the same problems and same proposed solutions.
Let me know if anyone needs anything else, these issues really do need patching ASAP!
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub <#95?email_source=notifications&email_token=ABTJDALNYFKSSM3GVB5NZPDQ6JFDNA5CNFSM4HXASRLKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEJJLKSY#issuecomment-575845707>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABTJDALA3IFWNVG62P2VBP3Q6JFDNANCNFSM4HXASRLA>.
|
|
Any updates on this issue? Holding off using it until it's patched. |
|
@seanieb as far as I can tell from the write up I've seen about it, it seems more related to an injected group name (either way still an issue). This security issue has been present for some time so at this point you're likely not safe already -- I suggest you upgrade if you can anyway. But yes we still do intend to have code merged shortly. I may need to copy the change over by hand. |
|
let's re-open/make a new one if there's still an issue with this, but should be fine! |
|
Thank you @jheld on action and update on this issue. I truly appreciate your input. |
I may have found a security issue. I'm not comfortable posting it here yet as I don't want an unpatched vuln out there. I reached out to @soynatan directly via email a few days ago, but haven't heard back yet. Is there anyone else I can reach out to?
The text was updated successfully, but these errors were encountered: