[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[EP-tech] EPrints Security Announcement - February 2020



Hi all,

EPrints Services was recently made aware of a small number of security 
vulnerabilities within the EPrints codebase, affecting both EPrints 3.4 
and EPrints 3.3.
I have created two patch files to fix the vulnerabilities and uploaded 
them to files.eprints.org 
<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Ffiles.eprints.org%2F&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C90ae4d0afcf340577b6708d8d8a666c1%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497556483699023%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=2iMoRM3ghnCeMjcTYK3xA33BvUBqRKnWmwbzbpoItT4%3D&amp;reserved=0>.

- EPrints 3.4.2 : https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffiles.eprints.org%2F2548%2F&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C90ae4d0afcf340577b6708d8d8a666c1%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497556483699023%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=Zmn0qNXn0Vt1QfZbruUN5p60%2BJ7caKwVqIyqcTLHCTE%3D&amp;reserved=0
- EPrints 3.3.x : https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffiles.eprints.org%2F2549%2F&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C90ae4d0afcf340577b6708d8d8a666c1%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497556483699023%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=ywAaq55UAsO1DDvb4NsQOQTSx0G0OrhaxLW8F9Fln%2F4%3D&amp;reserved=0

The former fixes the EPrints 3.4.2 release and the latter fixes EPrints 
3.3 (based on the current HEAD of https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Feprints%2Feprints&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C90ae4d0afcf340577b6708d8d8a666c1%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497556483699023%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=AI8ACI9wOIHktVKlTLq52nPMAaxQrj9ALfQSusWrkkM%3D&amp;reserved=0). 
These links also provide instructions on how to apply the patch file and 
some more details on the affected files.? There are references to the 
Common Vulnerabilities and Exposure (CVE) IDs but as of now these are 
yet to be published.? All the vulnerabilities identified relate to 
either Cross-Site Scripting (XSS) or Remote Code Execution (RCE) 
vulnerabilities.? All of these vulnerabilities would require analysis of 
the codebase to determine an exploit.? It is very unlikely that generic 
tools used to identify vulnerabilities would discover these, as specific 
knowledge is required.

I have also updated to patch these vulnerabilities on both the eprints 
and eprints3.4 GitHub repositories for the eprints organisation 
(https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Feprints&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C90ae4d0afcf340577b6708d8d8a666c1%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497556483699023%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=Ilk12NZzLeXI99XWNWyA4hRo82oFO8UgwM%2By8BbW2zo%3D&amp;reserved=0). The next release of EPrints 3.4 (3.4.3) 
will have these security fixes in place.

EPrints Services customers both those who EPrints Services host and 
those that self-host have either been patched or where this has not been 
possible, informed of the vulnerabilities and how they can be fixed.

If you have any follow-up questions please feel free to ask. Hopefully, 
the CVEs will be published shortly for those interested in more detail.? 
However, they were raised by a third party, who I have only just given 
go-ahead to make these public.

Regards

David Newman


-- 
This email has been checked for viruses by AVG.
https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.avg.com%2F&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C90ae4d0afcf340577b6708d8d8a666c1%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497556483699023%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=u5a%2BBXdX4jWPJnoDzJvM4G0lDl3OHgMlRnlZkKM03z4%3D&amp;reserved=0
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/eprints-tech/attachments/20210224/373c6fba/attachment.html