[EP-tech] EPrints Security Announcement - February 2020

I would definitely use mathjax over the cgi route.

Our server has the js added to? cfg/lang/en/templates/default.xml

<script type="text/x-mathjax-config">
MathJax.Hub.Config({tex2jax: {inlineMath: [['$','$'], ['\$','\$']]}});
</script>
<script type="text/javascript" async="async"
</script> And nothing else. Maybe that's enough to get it to work?

On 24/02/2021 14:35, John Salter via Eprints-tech wrote:
> *CAUTION:* This e-mail originated outside the University of Southampton.
> I was wondering if anyone had integrated any javascript libraries
> achieve something similar to this?
>
> Cheers,
> John
> ------------------------------------------------------------------------
> *From:* eprints-tech-bounces at ecs.soton.ac.uk
> <eprints-tech-bounces at ecs.soton.ac.uk> on behalf of Alan.Stiles via
> Eprints-tech <eprints-tech at ecs.soton.ac.uk>
> *Sent:* 24 February 2021 14:03
> *To:* eprints-tech at ecs.soton.ac.uk <eprints-tech at ecs.soton.ac.uk>
> *Subject:* Re: [EP-tech] EPrints Security Announcement - February 2020
> *CAUTION:* This e-mail originated outside the University of Southampton.
>
> The patch does leave latex2png empty.
>
> We still use this to include e.g. mathematical symbology in item
> abstracts so we have added some sanitisation to the input parameter in
> that cgi script rather than removing the function completely (3.3.15
> or 16 here).
>
> Alan
>
> *From: *<eprints-tech-bounces at ecs.soton.ac.uk> on behalf of
> "eprints-tech at ecs.soton.ac.uk" <eprints-tech at ecs.soton.ac.uk>
> *Reply to: *"eprints-tech at ecs.soton.ac.uk"
> <eprints-tech at ecs.soton.ac.uk>, James Kerwin <jkerwin2101 at gmail.com>
> *Date: *Wednesday, 24 February 2021 at 13:41
> *To: *"eprints-tech at ecs.soton.ac.uk" <eprints-tech at ecs.soton.ac.uk>,
> David R Newman <drn at ecs.soton.ac.uk>
> *Subject: *Re: [EP-tech] EPrints Security Announcement - February 2020
>
> CAUTION: This mail comes from outside the University. Please consider
> this before opening attachments, clicking links, or acting on the
> content.
>
> *CAUTION:*This e-mail originated outside the University of Southampton.
>
> Hi David,
>
> Thank you very much for bringing this to our attention and providing
> the solutions.
>
> Shamefully, we are still on 3.3.14 (I promise we are upgrading this
> year). The patch mentioned works on 3.3.16 and the page says it might
> work on earlier versions (a brief look through two of the files
> suggests they're more or less the same as those for 3.3.16)
>
> In my attempt to avoid any problems that could result from "might" are
> these the files that need altering if I were to do it manually:
>
> ?/cgi/ajax/phrase : CVE-2021-26703
>
> /cgi/latex2png : CVE-2021-3342
>
> /cgi/toolbox/toolbox : CVE-2021-26704
>
> There also appears to be some changes to be made to XML.pm
>
> Am I interpreting it correctly where it looks as though latex2png will
> be left as an empty file (deleted) by the end?
>
> I think the page makes it very clear that these are the files that are
> affected, but I just want to check there aren't any others that the
> patch addresses. I have looked at the patch, but I try not to
> underestimate my ability to totally misunderstand the most obvious of
> things.
>
> My plan is to try the command first on a test EPrints server and if it
> doesn't?work, do it manually.
>
> Thanks,
>
> James
>
> On Wed, Feb 24, 2021 at 9:27 AM David R Newman via Eprints-tech
> <eprints-tech at ecs.soton.ac.uk <mailto:eprints-tech at ecs.soton.ac.uk>>
> wrote:
>
>     Hi all,
>
>     EPrints Services was recently made aware of a small number of
>     security vulnerabilities within the EPrints codebase, affecting
>     both EPrints 3.4 and EPrints 3.3.
>
>     I have created two patch files to fix the vulnerabilities and
>
>
>
>
>     The former fixes the EPrints 3.4.2 release and the latter fixes
>     EPrints 3.3 (based on the current HEAD of
>     These links also provide instructions on how to apply the patch
>     file and some more details on the affected files.? There are
>     references to the Common Vulnerabilities and Exposure (CVE) IDs
>     but as of now these are yet to be published.? All the
>     vulnerabilities identified relate to either Cross-Site Scripting
>     (XSS) or Remote Code Execution (RCE) vulnerabilities. All of these
>     vulnerabilities would require analysis of the codebase to
>     determine an exploit.? It is very unlikely that generic tools used
>     to identify vulnerabilities would discover these, as specific
>     knowledge is required.
>
>     I have also updated to patch these vulnerabilities on both the
>     eprints and eprints3.4 GitHub repositories for the eprints
>     The next release of EPrints 3.4 (3.4.3) will have these security
>     fixes in place.
>
>     EPrints Services customers both those who EPrints Services host
>     and those that self-host have either been patched or where this
>     has not been possible, informed of the vulnerabilities and how
>     they can be fixed.
>
>     If you have any follow-up questions please feel free to ask.
>     Hopefully, the CVEs will be published shortly for those interested
>     in more detail.? However, they were raised by a third party, who I
>     have only just given go-ahead to make these public.
>
>     Regards
>
>     David Newman
>
>     Image removed by sender.
>
>
>
>
>
>     *** Options:
>     http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech
>     <http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech>