<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>I'd vote announce. The announcement has the fix to existing
users attached (update download.php).<br>
</p>
<br>
<div class="moz-cite-prefix">On 04/04/2017 05:05 PM, Dan Little
wrote:<br>
</div>
<blockquote
cite="mid:CABqPoBYXZMp00t171LS5kKNvpuWKusW4eisMvAzypxn3nXOa2A@mail.gmail.com"
type="cite">
<meta http-equiv="Context-Type" content="text/html; charset=UTF-8">
<div dir="ltr">I just heard back from Jeff, he's going to have a
new MS4W package in the morning. Barring objection, I'd like to
save the larger public announcement until then as we know all
the packages are then up to date.</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Tue, Apr 4, 2017 at 3:51 PM, James
Klassen <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:klassen.js@gmail.com" target="_blank">klassen.js@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote">
<div dir="auto">Good points.
<div dir="auto"><br>
</div>
<div dir="auto">Also, I have made 2.7.2, 2.8.2, and 2.9.3
releases with the fix.</div>
</div>
<div class="HOEnZb">
<div class="h5">
<div class="gmail_extra"><br>
<div class="gmail_quote">On Apr 4, 2017 15:42, "TC
Haddad" <<a moz-do-not-send="true"
href="mailto:tchaddad@gmail.com" target="_blank">tchaddad@gmail.com</a>>
wrote:<br type="attribution">
<blockquote class="gmail_quote">
<div dir="ltr">
<div>
<div>
<div>
<div><br>
</div>
Hey Dan,<br>
<br>
</div>
FWIW, the text of your proposed email looks
good. I think you could replace the three
references to 'bug' with 'security issue'
and that is more likely to get people's
attention / quick action. <br>
<br>
</div>
I feel like when there are security releases
in other projects, the information on the
users list is kept to a minimum - just the
facts of the release, relevant download links,
and not a lot of info on the nature of the
exploit. <br>
<br>
So given that you could even just end your
first paragraph after "earlier versions of the
2.X series may also be affected."... if you
think that's enough detail.<br>
<br>
</div>
Tanya<br>
<div><br>
<div>
<div><br>
</div>
</div>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Tue, Apr 4, 2017 at
12:48 PM, James Klassen <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:klassen.js@gmail.com"
target="_blank">klassen.js@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote">
<div dir="auto">Right.
<div dir="auto"><br>
</div>
<div dir="auto">I will also hide the bad
versions on the downloads (and redirect
them to current).</div>
</div>
<div
class="m_7596895661733410632m_-6871260278614510280HOEnZb">
<div
class="m_7596895661733410632m_-6871260278614510280h5">
<div class="gmail_extra"><br>
<div class="gmail_quote">On Apr 4,
2017 14:46, "Dan Little" <<a
moz-do-not-send="true"
href="mailto:theduckylittle@gmail.com"
target="_blank">theduckylittle@gmail.com</a>>
wrote:<br type="attribution">
<blockquote class="gmail_quote">
<div dir="ltr">I suspect it will
be but don't want to be offering
fresh downloads with the bug. </div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Tue,
Apr 4, 2017 at 2:44 PM, James
Klassen <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:klassen.js@gmail.com"
target="_blank">klassen.js@gmail.com</a>></span>
wrote:<br>
<blockquote
class="gmail_quote">
<div dir="auto">
<div dir="auto">Yep, this
deserves immediate
action. will build new
releases of the 2.7+
branches as soon as I
can.</div>
<div dir="auto"><br>
</div>
<div dir="auto">Although
people dropping in the
updated download.php
from master is probably
the qucker and easier
patch.</div>
<div dir="auto"><br>
</div>
<div dir="auto"><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote"><span>On
Apr 4, 2017 14:23,
"Dan Little" <<a
moz-do-not-send="true"
href="mailto:theduckylittle@gmail.com" target="_blank">theduckylittle@gmail.com</a>>
wrote:<br
type="attribution">
</span>
<blockquote
class="gmail_quote">
<div>
<div
class="m_7596895661733410632m_-6871260278614510280m_-2820752078383163516m_7537269289022039818h5">
<div dir="ltr">Hey
Folks,
<div><br>
</div>
<div>Looking for
some advice on
how to handle
a GeoMoose
Security bug.
A user
reported
earlier today
that the
download.php
script allowed
for file
system
traversal by
normalizing
paths. E.g: </div>
<blockquote
class="gmail_quote"><a
moz-do-not-send="true"
href="http://demo.geomoose.org/master/php/download.php?id=foo/.&ext=/../../../../../../../etc/passwd"
target="_blank">http://demo.geomoose.org/maste<wbr>r/php/download.php?id=foo/.&ex<wbr>t=/../../../../../../../etc/pa<wbr>sswd</a></blockquote>
<div><br>
</div>
<div>The call
above was
actually
returning the
password file.
I have a new
version of
download.php
that I've put
into master,
r2.7, r2.8,
r2.9. It can
be seen here:</div>
<div><br>
</div>
<div>- <a
moz-do-not-send="true"
href="https://github.com/geomoose/geomoose-services/blob/master/php/download.php"
target="_blank">https://github.com/geomoose/<wbr>geomoose-services/blob/master/<wbr>php/download.php</a></div>
<div><br>
</div>
<div>The user's
list should be
notified
immediately
but I suspect
it would be
good for us to
have
instructions
written and
new packages
available. </div>
<div><br>
</div>
<div>Here's my
draft for the
user's list:</div>
<div><br>
</div>
<div>(start)</div>
<div><br>
</div>
<div>ALL
USERS!!!</div>
<div><br>
</div>
<div>A bug in
GeoMoose was
identified
that affects
many versions
of GeoMoose.
The earliest
version of the
bug we have
been able to
identify is
GeoMoose 2.7
but earlier
versions of
the 2.X series
may also be
affected.
This bug
allows a well
crafted URL to
access the
contents of
nearly any
file on the
file system. </div>
<div><br>
</div>
<div>The fix for
this is easy
and works the
same for all
versions of
GeoMoose.
Find your copy
of
"download.php"
and replace it
with this one:</div>
<div><br>
</div>
<div>- <a
moz-do-not-send="true"
href="https://github.com/geomoose/geomoose-services/raw/master/php/download.php"
target="_blank">https://github.com/geomoose/<wbr>geomoose-services/raw/master/p<wbr>hp/download.php</a></div>
<div><br>
</div>
<div>This
version has
been tested
and does not
exhibit the
bug.</div>
<div><br>
</div>
<div>*Please*
update your
GeoMoose
installations
as soon as
possible.</div>
<div><br>
</div>
<div>Thank You,</div>
<div><br>
</div>
<div>The
GeoMoose Team</div>
<div><br>
</div>
<div>(end)</div>
<div><br>
</div>
<div>Any feed
back is
welcome,
please let me
know! If I
don't hear
from anyone by
tomorrow
morning I'm
going to drop
the above
message.</div>
<div><br>
</div>
</div>
<br>
</div>
</div>
<span>______________________________<wbr>_________________<br>
geomoose-psc mailing
list<br>
<a
moz-do-not-send="true"
href="mailto:geomoose-psc@lists.osgeo.org" target="_blank">geomoose-psc@lists.osgeo.org</a><br>
<a
moz-do-not-send="true"
href="https://lists.osgeo.org/mailman/listinfo/geomoose-psc"
rel="noreferrer"
target="_blank">https://lists.osgeo.org/mailma<wbr>n/listinfo/geomoose-psc</a><br>
</span></blockquote>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
</div>
</div>
</div>
</div>
<br>
______________________________<wbr>_________________<br>
geomoose-psc mailing list<br>
<a moz-do-not-send="true"
href="mailto:geomoose-psc@lists.osgeo.org"
target="_blank">geomoose-psc@lists.osgeo.org</a><br>
<a moz-do-not-send="true"
href="https://lists.osgeo.org/mailman/listinfo/geomoose-psc"
rel="noreferrer" target="_blank">https://lists.osgeo.org/mailma<wbr>n/listinfo/geomoose-psc</a><br>
</blockquote>
</div>
<br>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>