[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[EP-tech] Antwort: EPrints Security Announcement - February 2021
Hi all,
Due to lockdown, I still have not got use to it being 2021 already.?
These security issues were only identified in the last few weeks.? I
have amended the subject line appropriately (i.e. February 2021).
Regards
David Newman
On 24/02/2021 10:09, martin.braendle at uzh.ch wrote:
> *CAUTION:* This e-mail originated outside the University of Southampton.
>
> Thank you David.
> We applied the procedure yesterday (I use RSS on
> https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Ffiles.eprints.org%2F&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C274a7383ef76463f6f8b08d8d8b31f9d%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497611128134967%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=hGy2%2Bl%2BLw6qtFmQlcScpdvSBSy8%2Flh5KtVV3WtEyt4Y%3D&reserved=0
> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Ffiles.eprints.org%2F&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C274a7383ef76463f6f8b08d8d8b31f9d%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497611128134967%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=hGy2%2Bl%2BLw6qtFmQlcScpdvSBSy8%2Flh5KtVV3WtEyt4Y%3D&reserved=0>)
> and everything worked fine.
>
> Kind regards,
>
> Martin
>
> --
> Dr. Martin Br?ndle
> Zentrale Informatik
> Universit?t Z?rich
> Stampfenbachstr. 73
> CH-8006 Z?rich
>
>
>
> Inactive hide details for "David R Newman via Eprints-tech"
> ---24/02/2021 10:44:46---Hi all, EPrints Services was recently
> made"David R Newman via Eprints-tech" ---24/02/2021 10:44:46---Hi all,
> EPrints Services was recently made aware of a small number of security
>
> Von: "David R Newman via Eprints-tech" <eprints-tech at ecs.soton.ac.uk>
> An: "eprints-tech at ecs.soton.ac.uk" <eprints-tech at ecs.soton.ac.uk>
> Datum: 24/02/2021 10:44
> Betreff: [EP-tech] EPrints Security Announcement - February 2020
> Gesendet von: <eprints-tech-bounces at ecs.soton.ac.uk>
>
> ------------------------------------------------------------------------
>
>
>
> Hi all,
> EPrints Services was recently made aware of a small number of security
> vulnerabilities within the EPrints codebase, affecting both EPrints
> 3.4 and EPrints 3.3.
> I have created two patch files to fix the vulnerabilities and uploaded
> them to _files.eprints.org_
> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Ffiles.eprints.org%2F&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C274a7383ef76463f6f8b08d8d8b31f9d%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497611128134967%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=hGy2%2Bl%2BLw6qtFmQlcScpdvSBSy8%2Flh5KtVV3WtEyt4Y%3D&reserved=0>.
>
> - EPrints 3.4.2 : _https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffiles.eprints.org%2F2548%2F_&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C274a7383ef76463f6f8b08d8d8b31f9d%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497611128134967%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=4ImyJVRAm4ZCFLv%2FDNV6mPKa3YYedUK2WTGIGqbp9Sc%3D&reserved=0
> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffiles.eprints.org%2F2548%2F&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C274a7383ef76463f6f8b08d8d8b31f9d%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497611128134967%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=UIGYqu20slkRv4DjLEpmx0PPTQQQlY1QKAglVDFK0yc%3D&reserved=0>
> - EPrints 3.3.x : _https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffiles.eprints.org%2F2549%2F_&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C274a7383ef76463f6f8b08d8d8b31f9d%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497611128134967%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=AlauTWol9nA4iAwO%2Fmho24F0KBpPz3VDo5FpzjrsK%2BE%3D&reserved=0
> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffiles.eprints.org%2F2549%2F&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C274a7383ef76463f6f8b08d8d8b31f9d%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497611128134967%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=OvBKNyQN15sAY0%2Fb6zheGz4qs%2BfQMk5rQcS6%2FFE2h9M%3D&reserved=0>
>
> The former fixes the EPrints 3.4.2 release and the latter fixes
> EPrints 3.3 (based on the current HEAD of
> _https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Feprints%2Feprints_&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C274a7383ef76463f6f8b08d8d8b31f9d%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497611128144965%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=ZjbcxP1SCmkTmi33%2BlWzxxy3L7JX70I1CtbdGbfJQ0g%3D&reserved=0
> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Feprints%2Feprints&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C274a7383ef76463f6f8b08d8d8b31f9d%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497611128144965%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=olAtOktVBfHApo7CGzgT%2BfcXxohgwlUIKucRAVWp6aw%3D&reserved=0>).
> These links also provide instructions on how to apply the patch file
> and some more details on the affected files. ?There are references to
> the Common Vulnerabilities and Exposure (CVE) IDs but as of now these
> are yet to be published. ?All the vulnerabilities identified relate to
> either Cross-Site Scripting (XSS) or Remote Code Execution (RCE)
> vulnerabilities. ?All of these vulnerabilities would require analysis
> of the codebase to determine an exploit. ?It is very unlikely that
> generic tools used to identify vulnerabilities would discover these,
> as specific knowledge is required.
>
> I have also updated to patch these vulnerabilities on both the eprints
> and eprints3.4 GitHub repositories for the eprints organisation
> (_https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Feprints_&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C274a7383ef76463f6f8b08d8d8b31f9d%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497611128144965%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=MtUctq6BONF8ttDYn6cI%2BspoQMc2IWrrWYkYqH8prTI%3D&reserved=0
> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Feprints&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C274a7383ef76463f6f8b08d8d8b31f9d%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497611128144965%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Ua8OR0H5m8yhuCrE4BPAQOLI3bSUxgVFJgNp97ZUeXs%3D&reserved=0>).
> ?The next release of EPrints 3.4 (3.4.3) will have these security
> fixes in place.
>
> EPrints Services customers both those who EPrints Services host and
> those that self-host have either been patched or where this has not
> been possible, informed of the vulnerabilities and how they can be fixed.
>
> If you have any follow-up questions please feel free to ask.
> Hopefully, the CVEs will be published shortly for those interested in
> more detail. ?However, they were raised by a third party, who I have
> only just given go-ahead to make these public.
>
> Regards
>
> David Newman
>
>
>
> Virus-free. _https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.avg.com_%2F&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C274a7383ef76463f6f8b08d8d8b31f9d%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497611128144965%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=RsxO9bvSIn7obmplq6roO%2FENk33MCGq5Fd0rQQ5KMpI%3D&reserved=0
> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.avg.com%2Femail-signature%3Futm_medium%3Demail%26utm_source%3Dlink%26utm_campaign%3Dsig-email%26utm_content%3Demailclient&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C274a7383ef76463f6f8b08d8d8b31f9d%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497611128144965%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=H4I3nytoLYnlKYzWWmMoKIhIrTjWpKygu6nVfALJlt4%3D&reserved=0>
>
> *** Options:
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech
> <http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech>
> *** Archive: https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.eprints.org%2Ftech.php%2F&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C274a7383ef76463f6f8b08d8d8b31f9d%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497611128144965%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=yeGwwPBtfIWMW2wJkBxaz82Wt1CcCuUTa0lPzzheOLM%3D&reserved=0
> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.eprints.org%2Ftech.php%2F&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C274a7383ef76463f6f8b08d8d8b31f9d%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497611128144965%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=yeGwwPBtfIWMW2wJkBxaz82Wt1CcCuUTa0lPzzheOLM%3D&reserved=0>
> *** EPrints community wiki: https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwiki.eprints.org%2F&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C274a7383ef76463f6f8b08d8d8b31f9d%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497611128144965%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=7AiXqYvTFkFEYwYSHGPFGGdANt5g27v7DC4%2BpqPv8rk%3D&reserved=0
> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwiki.eprints.org%2F&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C274a7383ef76463f6f8b08d8d8b31f9d%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497611128154958%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=N4mhmhdpJRGbqRe9TViujMVjcZYV%2B0dg7%2BrWqZmUamk%3D&reserved=0>
>
--
This email has been checked for viruses by AVG.
https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.avg.com%2F&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C274a7383ef76463f6f8b08d8d8b31f9d%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497611128154958%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=%2Bvui7hDUQ8jSx9aGQWwVhGNxYg3Uy0sdKPFyA6vCVSw%3D&reserved=0
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/eprints-tech/attachments/20210224/a3089c81/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
Url : http://mailman.ecs.soton.ac.uk/pipermail/eprints-tech/attachments/20210224/a3089c81/attachment-0001.gif