Closed fgeek closed 10 years ago
Hi,
You can send me the details to xjqkilling at gmail dot com. Please include:
Thanks
Thanks. I will contact you soon.
Details have been sent. Please comment as soon as possible, thank you.
We'll fix it today.
@killing Thanks a lot for your efforts. Will you create new release so that I can ask end-users to upgrade? We do have lots of seafile instances in our web environment (http://www.kapsi.fi/english.html). Remember to add note to changelog/news that Kimmo Huoman found this one (and optionally that I handled coordination). We should also request CVE identifier for this issue. Do you want me to do it or will you do it from this project? http://people.redhat.com/kseifrie/CVE-OpenSource-Request-HOWTO.html
The fix is included in 3.1.2 release. I've added note in the change log: https://seacloud.cc/group/3/wiki/Server%20ChangeLog/ You may help us requesting a CVE. Thanks
@killing Thank you. Are you going to create a blog post or advisory about security issue (if you are busy etc I understand). Change log currently does not incidate the urgency of update or [security] tag. In our analysis this looks critical enough to at least mention security vulnerability to users.
Questions:
@killing CVE request is now done privately to MITRE and after that I can email to public.
This is now public information. Please see http://www.openwall.com/lists/oss-security/2014/08/24/3 for the mailing list post. Thank you for your work!
@fgeek Thank you very much!
I would like to privately discuss about security vulnerability my friend found. Could you give me contact details and code of conduct, thank you.