CVE-2024-39914的安全版本

FOGProject / fogproject

An open source computer cloning & management system

https://fogproject.org

GNU General Public License v3.0

1.1k stars 221 forks source link

CVE-2024-39914的安全版本 #599

Closed gguowang closed 1 month ago

gguowang commented 1 month ago

你好我想知道该漏洞的最新修复版本是哪一个，项目中最新版本为2023年

George1422 commented 1 month ago

I'm sorry I can only answer in English. You must update using the dev branch of FOG to get to version 1.5.10.34 of FOG. This information is outlined in this NIST document: https://nvd.nist.gov/vuln/detail/CVE-2024-39914 and from the FOG developers at: https://forums.fogproject.org/topic/17554/command-injection-in-fog-management-export-php-filename This document gives you instructions to make the changes with your hands without upgrading to 1.5.10.34.

gguowang commented 1 month ago

Thanks， I will ask questions in English in the future

mastacontrola commented 1 month ago

Is this still needing an answer or, is it safe to close this Issue out?

Neustradamus commented 1 month ago

@FOGProject team, @Sebastian-Roth, @mastacontrola: Any news about security problems in 1.5.10?

A 1.5.11 is needed quickly!

mastacontrola commented 1 month ago

@Neustradamus What do yo umean "Any news about security problems"?

The posts you presented are indeed news about the security problems and what people can and should do to fix those problems. So while 1.5.11 (or 1.6.x) could be published, it's a time process, Not somethign we can do just on a whim.

Should it be done? Yes. Do we have workarounds until it can be done? Yes. Does it need to happen like yesterday? Not in my humblest of opinions as we do have work arounds, we've clearly indicated we are aware of the security issues, and what can and should be done to fix those issues in the meantime.

Neustradamus commented 1 month ago

@mastacontrola: 1.5.10 is unsecure, there are several vulnerabilities in 1.5.10 which are not fixed in a stable release (there is not a 1.5.11), it is important to create the 1.5.11 quickly.

The CVE process in long, the author informes, the team has a delay to fix it, the CVE is published.

darksidemilk commented 1 month ago

@mastacontrola: 1.5.10 is unsecure, there are several vulnerabilities in 1.5.10 which are not fixed in a stable release (there is not a 1.5.11), it is important to create the 1.5.11 quickly.

The CVE process in long, the author informes, the team has a delay to fix it, the CVE is published.

See https://github.com/FOGProject/fogproject/issues/600#issuecomment-2260498738 #600

Neustradamus commented 1 month ago

Dear @FOGProject team, @darksidemilk: No the latest official build is 1.5.10 (Recall: badly which has been retagged too in the past, look here: https://github.com/FOGProject/fogproject/issues/565).

Go here, to see what is the latest release:

Getting FOG Project
The latest release of FOG Project is 1.5.10, released March 5th 2023.

Please reopen this security ticket, FOG 1.5.10 is not secure, there is no 1.5.11 release with all vulnerability fixes.

Thanks in advance.

darksidemilk commented 1 month ago

We will not be reopening this issue. The user that opened it closed it themselves as they saw in the NIST listing the instructions for patching. See also https://github.com/FOGProject/fogproject/issues/601#issuecomment-2260955237

Neustradamus commented 1 month ago

Yes, there is a problem, a 1.5.11 is needed to fix the unsecure 1.5.10 build.

I have sent you all links previously about the current latest stable release.

The latest stable is 1.5.10.

Currently people always install a version with vulnerabilities.

1.6.x is another branch (developement), it is not the stable branch.

People want a new stable release with fixes.

After the 1.5.9, there was a 1.5.10.

After a unsecure 1.5.10, a 1.5.11 is needed.

More information here:

https://semver.org/