[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Health-dev] [bug #58584] Various security issues for gnuhealth-cont
From: |
Axel Braun |
Subject: |
Re: [Health-dev] [bug #58584] Various security issues for gnuhealth-control |
Date: |
Wed, 17 Jun 2020 13:47:13 +0200 |
Hello Luis,
I have already informed you three month ago in a private, encrypted mail about
this issue - solution was provided on 23 March, as well in an encrypted mail.
Release 3.6.4 was one month ago, and I had emphasized this to you as well.
Too bad that it was ignored, as I just found out.
Best,
Axel
Am Mittwoch, 17. Juni 2020, 13:29:55 CEST schrieb Luis Falcon:
> Hi Axel, Johannes
>
> Axel, please before sending any potential vulnerability, practice
> coordinated disclosure. Make sure you write to
> "security@gnuhealth.org"[1] so we can discuss and apply the pertinent
> patches if needed.
>
> This particular context is not critical, but if it would be the case,
> you would be publicly exposing the vulnerability.
>
> Let me repeat: *ALWAYS* write privately to security@gnuhealth.org if you
> think there is a vulnerability.
>
> I have noticed that
>
> https://bugzilla.opensuse.org/show_bug.cgi?id=1167126
>
> and
>
> https://bugzilla.opensuse.org/show_bug.cgi?id=1167128
>
> are public.
>
>
> 1.-
> https://en.wikibooks.org/wiki/GNU_Health/Security#Reporting_a_security_vulne
> rability
>
>
> On Tue, 16 Jun 2020 13:42:56 -0400 (EDT)
>
> Axel Braun <INVALID.NOREPLY@gnu.org> wrote:
> > URL:
> > <https://savannah.gnu.org/bugs/?58584>
> >
> > Summary: Various security issues for
> >
> > gnuhealth-control Project: GNU Health
> >
> > Submitted by: coogor
> > Submitted on: Tue 16 Jun 2020 05:42:54 PM UTC
> >
> > Category: Security
> > Severity: 4 - Important
> >
> > Item Group: None
> >
> > Status: None
> >
> > Privacy: Private
> >
> > Assigned to: None
> > Open/Closed: Open
> >
> > Release: None
> >
> > Discussion Lock: Any
> >
> > Module: gnuhealth-control
> >
> > _______________________________________________________
> >
> > Details:
> >
> > The SUSE security team has conducted an audit on gnuhealth-control
> > and found issues related to:
> > https://bugzilla.opensuse.org/show_bug.cgi?id=1167126
> > (Local privilege escalation in gnuhealth-control, use of static tmp
> > file/http transport )
> >
> > https://bugzilla.opensuse.org/show_bug.cgi?id=1167128
> > (Local DoS of backup functionality in gnuhealth-control due to use of
> > static tmp files)
> >
> > These issues are fixed in gnuhaelth-control shipped with openSUSE,
> > but not yet in gnuhealth-vanilla
> >
> > The attached gnuhealth-control should fix the issues mentioned above
> >
> > _______________________________________________________
> >
> > File Attachments:
> >
> >
> > -------------------------------------------------------
> > Date: Tue 16 Jun 2020 05:42:54 PM UTC Name: gnuhealth-control_364
> > Size: 19KiB By: coogor
> > gnuhealth-control with fixes applied
> > <http://savannah.gnu.org/bugs/download.php?file_id=49279>
> >
> > _______________________________________________________
> >
> > Reply to this item at:
> > <https://savannah.gnu.org/bugs/?58584>
> >
> > _______________________________________________
> >
> > Message sent via Savannah
> > https://savannah.gnu.org/
--
Dr.-Ing. Axel K. Braun
M: +49.173.7003.154
T: @coogor
Matrix: @docb:matrix.org
PGP Fingerprint: 2E7F 3A19 A4A4 844A 3D09 7656 822D EB64 A3BA 290D
Public Key available at http://www.axxite.com/axel.braun@gmx.de.asc
Personal Freedom starts with free/libre Software
ThinkPad T520 running openSUSE Tumbleweed 20200615