[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[EP-tech] Antwort: EPrints Security Announcement - February 2021



Hi all,

Due to lockdown, I still have not got use to it being 2021 already.? 
These security issues were only identified in the last few weeks.? I 
have amended the subject line appropriately (i.e. February 2021).

Regards

David Newman

On 24/02/2021 10:09, martin.braendle at uzh.ch wrote:
> *CAUTION:* This e-mail originated outside the University of Southampton.
>
> Thank you David.
> We applied the procedure yesterday (I use RSS on 
> https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Ffiles.eprints.org%2F&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C274a7383ef76463f6f8b08d8d8b31f9d%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497611128134967%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=hGy2%2Bl%2BLw6qtFmQlcScpdvSBSy8%2Flh5KtVV3WtEyt4Y%3D&reserved=0 
> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Ffiles.eprints.org%2F&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C274a7383ef76463f6f8b08d8d8b31f9d%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497611128134967%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=hGy2%2Bl%2BLw6qtFmQlcScpdvSBSy8%2Flh5KtVV3WtEyt4Y%3D&amp;reserved=0>) 
> and everything worked fine.
>
> Kind regards,
>
> Martin
>
> --
> Dr. Martin Br?ndle
> Zentrale Informatik
> Universit?t Z?rich
> Stampfenbachstr. 73
> CH-8006 Z?rich
>
>
>
> Inactive hide details for "David R Newman via Eprints-tech" 
> ---24/02/2021 10:44:46---Hi all, EPrints Services was recently 
> made"David R Newman via Eprints-tech" ---24/02/2021 10:44:46---Hi all, 
> EPrints Services was recently made aware of a small number of security
>
> Von: "David R Newman via Eprints-tech" <eprints-tech at ecs.soton.ac.uk>
> An: "eprints-tech at ecs.soton.ac.uk" <eprints-tech at ecs.soton.ac.uk>
> Datum: 24/02/2021 10:44
> Betreff: [EP-tech] EPrints Security Announcement - February 2020
> Gesendet von: <eprints-tech-bounces at ecs.soton.ac.uk>
>
> ------------------------------------------------------------------------
>
>
>
> Hi all,
> EPrints Services was recently made aware of a small number of security 
> vulnerabilities within the EPrints codebase, affecting both EPrints 
> 3.4 and EPrints 3.3.
> I have created two patch files to fix the vulnerabilities and uploaded 
> them to _files.eprints.org_ 
> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Ffiles.eprints.org%2F&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C274a7383ef76463f6f8b08d8d8b31f9d%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497611128134967%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=hGy2%2Bl%2BLw6qtFmQlcScpdvSBSy8%2Flh5KtVV3WtEyt4Y%3D&amp;reserved=0>.
>
> - EPrints 3.4.2 : _https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffiles.eprints.org%2F2548%2F_&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C274a7383ef76463f6f8b08d8d8b31f9d%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497611128134967%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=4ImyJVRAm4ZCFLv%2FDNV6mPKa3YYedUK2WTGIGqbp9Sc%3D&amp;reserved=0 
> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffiles.eprints.org%2F2548%2F&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C274a7383ef76463f6f8b08d8d8b31f9d%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497611128134967%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=UIGYqu20slkRv4DjLEpmx0PPTQQQlY1QKAglVDFK0yc%3D&amp;reserved=0>
> - EPrints 3.3.x : _https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffiles.eprints.org%2F2549%2F_&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C274a7383ef76463f6f8b08d8d8b31f9d%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497611128134967%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=AlauTWol9nA4iAwO%2Fmho24F0KBpPz3VDo5FpzjrsK%2BE%3D&amp;reserved=0 
> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffiles.eprints.org%2F2549%2F&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C274a7383ef76463f6f8b08d8d8b31f9d%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497611128134967%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=OvBKNyQN15sAY0%2Fb6zheGz4qs%2BfQMk5rQcS6%2FFE2h9M%3D&amp;reserved=0>
>
> The former fixes the EPrints 3.4.2 release and the latter fixes 
> EPrints 3.3 (based on the current HEAD of 
> _https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Feprints%2Feprints_&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C274a7383ef76463f6f8b08d8d8b31f9d%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497611128144965%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=ZjbcxP1SCmkTmi33%2BlWzxxy3L7JX70I1CtbdGbfJQ0g%3D&amp;reserved=0 
> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Feprints%2Feprints&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C274a7383ef76463f6f8b08d8d8b31f9d%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497611128144965%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=olAtOktVBfHApo7CGzgT%2BfcXxohgwlUIKucRAVWp6aw%3D&amp;reserved=0>). 
> These links also provide instructions on how to apply the patch file 
> and some more details on the affected files. ?There are references to 
> the Common Vulnerabilities and Exposure (CVE) IDs but as of now these 
> are yet to be published. ?All the vulnerabilities identified relate to 
> either Cross-Site Scripting (XSS) or Remote Code Execution (RCE) 
> vulnerabilities. ?All of these vulnerabilities would require analysis 
> of the codebase to determine an exploit. ?It is very unlikely that 
> generic tools used to identify vulnerabilities would discover these, 
> as specific knowledge is required.
>
> I have also updated to patch these vulnerabilities on both the eprints 
> and eprints3.4 GitHub repositories for the eprints organisation 
> (_https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Feprints_&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C274a7383ef76463f6f8b08d8d8b31f9d%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497611128144965%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=MtUctq6BONF8ttDYn6cI%2BspoQMc2IWrrWYkYqH8prTI%3D&amp;reserved=0 
> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Feprints&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C274a7383ef76463f6f8b08d8d8b31f9d%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497611128144965%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=Ua8OR0H5m8yhuCrE4BPAQOLI3bSUxgVFJgNp97ZUeXs%3D&amp;reserved=0>). 
> ?The next release of EPrints 3.4 (3.4.3) will have these security 
> fixes in place.
>
> EPrints Services customers both those who EPrints Services host and 
> those that self-host have either been patched or where this has not 
> been possible, informed of the vulnerabilities and how they can be fixed.
>
> If you have any follow-up questions please feel free to ask. 
> Hopefully, the CVEs will be published shortly for those interested in 
> more detail. ?However, they were raised by a third party, who I have 
> only just given go-ahead to make these public.
>
> Regards
>
> David Newman
>
> 	
>
>     Virus-free. _https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.avg.com_%2F&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C274a7383ef76463f6f8b08d8d8b31f9d%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497611128144965%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=RsxO9bvSIn7obmplq6roO%2FENk33MCGq5Fd0rQQ5KMpI%3D&amp;reserved=0
>     <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.avg.com%2Femail-signature%3Futm_medium%3Demail%26utm_source%3Dlink%26utm_campaign%3Dsig-email%26utm_content%3Demailclient&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C274a7383ef76463f6f8b08d8d8b31f9d%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497611128144965%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=H4I3nytoLYnlKYzWWmMoKIhIrTjWpKygu6nVfALJlt4%3D&amp;reserved=0>
>
> *** Options: 
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech 
> <http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech>
> *** Archive: https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.eprints.org%2Ftech.php%2F&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C274a7383ef76463f6f8b08d8d8b31f9d%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497611128144965%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=yeGwwPBtfIWMW2wJkBxaz82Wt1CcCuUTa0lPzzheOLM%3D&amp;reserved=0 
> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.eprints.org%2Ftech.php%2F&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C274a7383ef76463f6f8b08d8d8b31f9d%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497611128144965%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=yeGwwPBtfIWMW2wJkBxaz82Wt1CcCuUTa0lPzzheOLM%3D&amp;reserved=0>
> *** EPrints community wiki: https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwiki.eprints.org%2F&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C274a7383ef76463f6f8b08d8d8b31f9d%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497611128144965%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=7AiXqYvTFkFEYwYSHGPFGGdANt5g27v7DC4%2BpqPv8rk%3D&amp;reserved=0 
> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwiki.eprints.org%2F&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C274a7383ef76463f6f8b08d8d8b31f9d%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497611128154958%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=N4mhmhdpJRGbqRe9TViujMVjcZYV%2B0dg7%2BrWqZmUamk%3D&amp;reserved=0>
>


-- 
This email has been checked for viruses by AVG.
https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.avg.com%2F&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C274a7383ef76463f6f8b08d8d8b31f9d%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497611128154958%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=%2Bvui7hDUQ8jSx9aGQWwVhGNxYg3Uy0sdKPFyA6vCVSw%3D&amp;reserved=0
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/eprints-tech/attachments/20210224/a3089c81/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
Url : http://mailman.ecs.soton.ac.uk/pipermail/eprints-tech/attachments/20210224/a3089c81/attachment-0001.gif