Security vulnerability - Githubissues

haiwen / seafile

High performance file syncing and sharing, with also Markdown WYSIWYG editing, Wiki, file label and other knowledge management features.

http://seafile.com/

Other

12.17k stars 1.54k forks source link

Security vulnerability #769

Closed fgeek closed 10 years ago

fgeek commented 10 years ago

I would like to privately discuss about security vulnerability my friend found. Could you give me contact details and code of conduct, thank you.

killing commented 10 years ago

Hi,

You can send me the details to xjqkilling at gmail dot com. Please include:

Version
Vulnerability description
Reproduction steps

Thanks

fgeek commented 10 years ago

Thanks. I will contact you soon.

fgeek commented 10 years ago

Details have been sent. Please comment as soon as possible, thank you.

killing commented 10 years ago

We'll fix it today.

fgeek commented 10 years ago

@killing Thanks a lot for your efforts. Will you create new release so that I can ask end-users to upgrade? We do have lots of seafile instances in our web environment (http://www.kapsi.fi/english.html). Remember to add note to changelog/news that Kimmo Huoman found this one (and optionally that I handled coordination). We should also request CVE identifier for this issue. Do you want me to do it or will you do it from this project? http://people.redhat.com/kseifrie/CVE-OpenSource-Request-HOWTO.html

killing commented 10 years ago

The fix is included in 3.1.2 release. I've added note in the change log: https://seacloud.cc/group/3/wiki/Server%20ChangeLog/ You may help us requesting a CVE. Thanks

fgeek commented 10 years ago

@killing Thank you. Are you going to create a blog post or advisory about security issue (if you are busy etc I understand). Change log currently does not incidate the urgency of update or [security] tag. In our analysis this looks critical enough to at least mention security vulnerability to users.

Questions:

How long do you want me to "hold" proof-of-concept information?
Is it ok to include this proof-of-concept information in CVE request after few days for example? I can also request CVE today privately from Mitre
Is there a way to inform seafile-users about available updates autotically? How about opt-in automatical updating? With plugin/addon for example?

fgeek commented 10 years ago

@killing CVE request is now done privately to MITRE and after that I can email to public.

fgeek commented 10 years ago

This is now public information. Please see http://www.openwall.com/lists/oss-security/2014/08/24/3 for the mailing list post. Thank you for your work!

killing commented 10 years ago

@fgeek Thank you very much!