[GeoNode-users] Geonode security vulnerability

Alessio Fabiani alessio.fabiani at geo-solutions.it
Tue Feb 14 02:18:54 PST 2017 

I guess it would be good to update also this script

https://github.com/GeoNode/geonode/blob/master/package/install.sh#L109


Best Regards,
Alessio Fabiani.

==
GeoServer Professional Services from the experts!
Visit http://goo.gl/it488V for more information.
==

Ing. Alessio Fabiani
@alfa7691
Founder/Technical Lead

GeoSolutions S.A.S.
Via di Montramito 3/A
55054  Massarosa (LU)
Italy
phone: +39 0584 962313
fax:     +39 0584 1660272
mob:   +39 331 6233686

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

-------------------------------------------------------

*AVVERTENZE AI SENSI DEL D.Lgs. 196/2003*

Le informazioni contenute in questo messaggio di posta elettronica e/o
nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il
loro utilizzo è consentito esclusivamente al destinatario del messaggio,
per le finalità indicate nel messaggio stesso. Qualora riceviate questo
messaggio senza esserne il destinatario, Vi preghiamo cortesemente di
darcene notizia via e-mail e di procedere alla distruzione del messaggio
stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso,
divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od
utilizzarlo per finalità diverse, costituisce comportamento contrario ai
principi dettati dal D.Lgs. 196/2003.



The information in this message and/or attachments, is intended solely for
the attention and use of the named addressee(s) and may be confidential or
proprietary in nature or covered by the provisions of privacy act
(Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection
Code).Any use not in accord with its purpose, any disclosure, reproduction,
copying, distribution, or either dissemination, either whole or partial, is
strictly forbidden except previous formal approval of the named
addressee(s). If you are not the intended recipient, please contact
immediately the sender by telephone, fax or e-mail and delete the
information in this message that has been received in error. The sender
does not give any warranty or accept liability as the content, accuracy or
completeness of sent messages and accepts no responsibility  for changes
made after they were sent or for other risks which arise as a result of
e-mail transmission, viruses, etc.

---------------------------------------------------------------------

On Tue, Feb 14, 2017 at 12:04 AM, Jonathan Doig <j.doig at unsw.edu.au> wrote:

> OK for consistency I’ve added those lines for uploaded/layers to the 2.4
> manual install doco in this pull request
> <https://github.com/GeoNode/geonode/pull/2904>.
>
>
>
> Jonathan
>
>
>
> *From:* Simone Dalmasso [mailto:simone.dalmasso at gmail.com]
> *Sent:* Monday, 13 February 2017 11:29 PM
> *To:* Daniel Victoria
> *Cc:* Jonathan Doig; geonode-users at lists.osgeo.org
>
> *Subject:* Re: [GeoNode-users] Geonode security vulnerability
>
>
>
> Daniel, this good, we did this on master and 2.4.x as well see
> https://github.com/GeoNode/geonode/commit/5023b5df25da4acd7854e70f59e3ce
> cb32d3f2f2
>
>
>
> Ciao
>
>
>
> 2017-02-13 12:04 GMT+01:00 Daniel Victoria <daniel.victoria at gmail.com>:
>
> The geonode.conf file in my Geonode instalation (2.4) did not have those
> lines. However, the upload/layers directory was still open to all. Looking
> at the geonode.conf file I noticed that the uploaded/documents directory
> was closed with the options:
>
> <Directory "/var/www/geonode/uploaded/documents/">
>        Order allow,deny
>        Deny from all
> </Directory>
>
> So I repeated the same lines for the layers directory:
>
>
> <Directory "/var/www/geonode/uploaded/layers/">
>        Order allow,deny
>        Deny from all
> </Directory>
>
> Does that look ok? Or am I bound to break something? Until now, everything
> looks fine
>
> Thanks
>
> Daniel
>
>
>
>
>
> On Mon, Feb 13, 2017 at 4:15 AM, Simone Dalmasso <
> simone.dalmasso at gmail.com> wrote:
>
> Hi Jonathan,
>
>
>
> the change is not yet published in the packages but the 2.6 will
> definitely contain it.
>
>
>
> Best
>
>
>
> 2017-02-13 0:28 GMT+01:00 Jonathan Doig <j.doig at unsw.edu.au>:
>
> I’ve tested upload at my end after the change: no impact. Also it was
> advised (and merged to the doco) by Geonode dev Simone Dalmasso.
>
>
>
> Regards
>
> Jonathan
>
>
>
> *From:* Daniel Victoria [mailto:daniel.victoria at gmail.com]
> *Sent:* Friday, 10 February 2017 11:22 PM
> *To:* Jonathan Doig
> *Cc:* geonode-users at lists.osgeo.org
> *Subject:* Re: [GeoNode-users] Geonode security vulnerability
>
>
>
> Hi Jonathan,
>
> Thanks for the heads up. Just to be sure, by changing the geonode.conf I
> wont break any other GeoNode funcionality?
>
> Cheers
>
> Daniel
>
>
>
> On Thu, Feb 9, 2017 at 10:10 PM, Jonathan Doig <j.doig at unsw.edu.au> wrote:
>
> Dear all
>
>
>
> I found this issue on my own site and am passing it on as it also affects
> a number of sites I’ve found online.
>
>
>
> The data on your Geonode site may be publicly downloadable, regardless of
> permissions, at:
>
> http://<your_geonode_host>/uploaded/layers/
>
>
>
> You need to edit /etc/apache2/sites-available/geonode.conf and remove the
> block which tells Apache to serve uploaded/layers/. It will look something
> like this:
>
>
>
>     <Directory "/home/geonode/geonode/geonode/uploaded/layers/">
>
>         Order allow,deny
>
>         Options Indexes FollowSymLinks
>
>         Allow from all
>
>         Require all granted
>
>         IndexOptions FancyIndexing
>
>     </Directory>
>
>
>
> Then restart Apache:
>
>
>
>     sudo service apache2 restart
>
>
>
> I’ve issued a pull request <https://github.com/GeoNode/geonode/pull/2899>
> to update the install doco
> <http://docs.geonode.org/en/master/tutorials/install_and_admin/geonode_install/setup_configure_httpd.html#apache-configuration>.
> As a courtesy, I’ve also contacted the admins of sites I found through a
> “Powered by Geonode” Google search.
>
>
>
> Regards
>
> *Jonathan Doig*
>
> *Software Engineer – Spatial Systems*
>
> *City Futures Research Centre*
>
> *UNSW Built Environment *
>
> Level 3, Red Centre West Wing
>
>
>
> UNSW Sydney
>
> NSW 2052 AUSTRALIA
>
> T:+ 61 (2) 9385 5319 <+61%202%209385%205319> M: 0409 049185 <049%20185>
>
> cityfutures.net.au <http://cityfutures.be.unsw.edu.au/>
>
>
> _______________________________________________
> geonode-users mailing list
> geonode-users at lists.osgeo.org
> https://lists.osgeo.org/mailman/listinfo/geonode-users
>
>
>
>
> _______________________________________________
> geonode-users mailing list
> geonode-users at lists.osgeo.org
> https://lists.osgeo.org/mailman/listinfo/geonode-users
>
>
>
>
>
> --
>
> Simone
>
>
>
>
>
>
>
> --
>
> Simone
>
> _______________________________________________
> geonode-users mailing list
> geonode-users at lists.osgeo.org
> https://lists.osgeo.org/mailman/listinfo/geonode-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/geonode-users/attachments/20170214/6296270a/attachment-0001.html>

More information about the geonode-users mailing list