Closed gguowang closed 1 month ago
I'm sorry I can only answer in English. You must update using the dev branch of FOG to get to version 1.5.10.34 of FOG. This information is outlined in this NIST document: https://nvd.nist.gov/vuln/detail/CVE-2024-39914 and from the FOG developers at: https://forums.fogproject.org/topic/17554/command-injection-in-fog-management-export-php-filename This document gives you instructions to make the changes with your hands without upgrading to 1.5.10.34.
Thanks, I will ask questions in English in the future
Is this still needing an answer or, is it safe to close this Issue out?
@FOGProject team, @Sebastian-Roth, @mastacontrola: Any news about security problems in 1.5.10?
A 1.5.11 is needed quickly!
@Neustradamus What do yo umean "Any news about security problems"?
The posts you presented are indeed news about the security problems and what people can and should do to fix those problems. So while 1.5.11 (or 1.6.x) could be published, it's a time process, Not somethign we can do just on a whim.
Should it be done? Yes. Do we have workarounds until it can be done? Yes. Does it need to happen like yesterday? Not in my humblest of opinions as we do have work arounds, we've clearly indicated we are aware of the security issues, and what can and should be done to fix those issues in the meantime.
@mastacontrola: 1.5.10 is unsecure, there are several vulnerabilities in 1.5.10 which are not fixed in a stable release (there is not a 1.5.11), it is important to create the 1.5.11 quickly.
The CVE process in long, the author informes, the team has a delay to fix it, the CVE is published.
@mastacontrola: 1.5.10 is unsecure, there are several vulnerabilities in 1.5.10 which are not fixed in a stable release (there is not a 1.5.11), it is important to create the 1.5.11 quickly.
The CVE process in long, the author informes, the team has a delay to fix it, the CVE is published.
See https://github.com/FOGProject/fogproject/issues/600#issuecomment-2260498738 #600
Dear @FOGProject team, @darksidemilk: No the latest official build is 1.5.10 (Recall: badly which has been retagged too in the past, look here: https://github.com/FOGProject/fogproject/issues/565).
Go here, to see what is the latest release:
Getting FOG Project
The latest release of FOG Project is 1.5.10, released March 5th 2023.
Please reopen this security ticket, FOG 1.5.10 is not secure, there is no 1.5.11 release with all vulnerability fixes.
Thanks in advance.
We will not be reopening this issue. The user that opened it closed it themselves as they saw in the NIST listing the instructions for patching. See also https://github.com/FOGProject/fogproject/issues/601#issuecomment-2260955237
Yes, there is a problem, a 1.5.11 is needed to fix the unsecure 1.5.10 build.
I have sent you all links previously about the current latest stable release.
The latest stable is 1.5.10.
Currently people always install a version with vulnerabilities.
1.6.x is another branch (developement), it is not the stable branch.
People want a new stable release with fixes.
After the 1.5.9, there was a 1.5.10.
After a unsecure 1.5.10, a 1.5.11 is needed.
More information here:
你好 我想知道该漏洞的最新修复版本是哪一个,项目中最新版本为2023年