EPrints Technical Mailing List Archive
See the EPrints wiki for instructions on how to join this mailing list and related information.
Message: #08532
< Previous (by date) | Next (by date) > | < Previous (in thread) | Next (in thread) > | Messages - Most Recent First | Threads - Most Recent First
Re: [EP-tech] Antwort: EPrints Security Announcement - February 2021
- To: <martin.braendle@uzh.ch>, <eprints-tech@ecs.soton.ac.uk>
- Subject: Re: [EP-tech] Antwort: EPrints Security Announcement - February 2021
- From: David R Newman <drn@ecs.soton.ac.uk>
- Date: Wed, 24 Feb 2021 10:58:28 +0000
Hi all,
Due to lockdown, I still have not got use to it being 2021 already. These security issues were only identified in the last few weeks. I have amended the subject line appropriately (i.e. February 2021).
Regards
David Newman
CAUTION: This e-mail originated outside the University of Southampton.Thank you David.
We applied the procedure yesterday (I use RSS on http://files.eprints.org) and everything worked fine.
Kind regards,
Martin
--
Dr. Martin Brändle
Zentrale Informatik
Universität Zürich
Stampfenbachstr. 73
CH-8006 Zürich
"David R Newman via Eprints-tech" ---24/02/2021 10:44:46---Hi all, EPrints Services was recently made aware of a small number of security
Von: "David R Newman via Eprints-tech" <eprints-tech@ecs.soton.ac.uk>
An: "eprints-tech@ecs.soton.ac.uk" <eprints-tech@ecs.soton.ac.uk>
Datum: 24/02/2021 10:44
Betreff: [EP-tech] EPrints Security Announcement - February 2020
Gesendet von: <eprints-tech-bounces@ecs.soton.ac.uk>
Hi all,
EPrints Services was recently made aware of a small number of security vulnerabilities within the EPrints codebase, affecting both EPrints 3.4 and EPrints 3.3.
I have created two patch files to fix the vulnerabilities and uploaded them to files.eprints.org.
- EPrints 3.4.2 : https://files.eprints.org/2548/
- EPrints 3.3.x : https://files.eprints.org/2549/
The former fixes the EPrints 3.4.2 release and the latter fixes EPrints 3.3 (based on the current HEAD of https://github.com/eprints/eprints). These links also provide instructions on how to apply the patch file and some more details on the affected files. There are references to the Common Vulnerabilities and Exposure (CVE) IDs but as of now these are yet to be published. All the vulnerabilities identified relate to either Cross-Site Scripting (XSS) or Remote Code Execution (RCE) vulnerabilities. All of these vulnerabilities would require analysis of the codebase to determine an exploit. It is very unlikely that generic tools used to identify vulnerabilities would discover these, as specific knowledge is required.
I have also updated to patch these vulnerabilities on both the eprints and eprints3.4 GitHub repositories for the eprints organisation (https://github.com/eprints). The next release of EPrints 3.4 (3.4.3) will have these security fixes in place.
EPrints Services customers both those who EPrints Services host and those that self-host have either been patched or where this has not been possible, informed of the vulnerabilities and how they can be fixed.
If you have any follow-up questions please feel free to ask. Hopefully, the CVEs will be published shortly for those interested in more detail. However, they were raised by a third party, who I have only just given go-ahead to make these public.
Regards
David Newman
*** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech
Virus-free. www.avg.com
*** Archive: http://www.eprints.org/tech.php/
*** EPrints community wiki: http://wiki.eprints.org/
- References:
- [EP-tech] EPrints Security Announcement - February 2020
- From: David R Newman <drn@ecs.soton.ac.uk>
- [EP-tech] Antwort: EPrints Security Announcement - February 2020
- From: <martin.braendle@uzh.ch>
- [EP-tech] EPrints Security Announcement - February 2020
- Prev by Date: [EP-tech] Antwort: EPrints Security Announcement - February 2020
- Next by Date: Re: [EP-tech] EPrints Security Announcement - February 2020
- Previous by thread: [EP-tech] EPrints/CRIS
- Next by thread: [EP-tech] DOI handling in orcid_support_advance
- Index(es):