April 7th Security Release for Etherpad

[hammerandtongs]

http://blog.etherpad.org/2018/04/07/important-release-1-6-4/

"""TLDR; Site admins should Update ASAP to 1.6.4 due to several security enhancements.

Today we released Etherpad 1.6.4.

This release fixes several security vulnerabilities in recent versions:

One is an arbitrary code execution vulnerability in version 1.6.3. Another is an arbitrary code execution vulnerability which is present in all versions from 1.5.0 on, but only exploitable on sites that store pads in DirtyDB, CouchDB, MongoDB, or RethinkDB. A third allows attackers to export any pad without knowing its name (as normally required) in all versions from 1.5.0 on."""

[ocdtrekkie]

@hammerandtongs We actually chatted a bit about this release on IRC.

• The first vulnerability is too new to apply to Etherpad for Sandstorm.
• The second, only applies to pads stored in one of four database types... but Etherpad for Sandstorm uses SQLite.
• And the third vulnerability does not apply to Sandstorm because Etherpad on Sandstorm only has a single pad with a predictable name in a given grain.

As far as I think those discussing it concluded, Etherpad on Sandstorm shouldn't be affected at all by this security release.

[hammerandtongs]

That seems reasonable, it was more that I saw an old version in my sandstorm with nothing documented.

This bug now seems like document enough to me, seems like I could close this and it will still be available for the curious?

[kentonv]

Note that on Sandstorm, the worst possible security vulnerability that Etherpad could have is one where a user who has been shared read-only access to a document is able to modify that document. On Sandstorm, it is impossible for a user to access any pad that you haven't shared with them.

That said, we should update the package. I'll try to find time next weekend...