<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hi,<br>
We have sent the code to the Jonathan Druart as he wanted<br>
and we can get all info without authorization even in 3.20.x, hence
it should be fixed ASAP.<br>
<br>
Best regards,<br>
Devinim Koha Development Team<br>
<br>
<div class="moz-cite-prefix">On 15-03-2017 19:17, Stefano Bargioni
wrote:<br>
</div>
<blockquote cite="mid:AAE814A4-00AB-4536-BBD2-361C2722930F@pusc.it"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
Uh..., probably it is not so good to publish security issues on a
public list.
<div class="">The official way is</div>
<div class=""><a moz-do-not-send="true"
href="https://koha-community.org/security/" class="">https://koha-community.org/security/</a></div>
<div class="">if I'm not wrong.</div>
<div class="">sb<br class="">
<div class=""><br class="">
<div>
<blockquote type="cite" class="">
<div class="">On 15 Mar 2017, at 16:57, Devinim Koha
Development Team <<a moz-do-not-send="true"
href="mailto:kohadevinim@devinim.com.tr" class="">kohadevinim@devinim.com.tr</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type" class="">
<div bgcolor="#FFFFFF" text="#000000" class="">
<p class="">Hi,</p>
<p class="">In that case we can reach the user
detailed information without giving a password by
curl.</p>
<p class="">If you want we can share the code how to
get this information without authentication, from
this list.<br class="">
</p>
<br class="">
<div class="moz-cite-prefix">On 15-03-2017 18:50,
Jonathan Druart wrote:<br class="">
</div>
<blockquote
cite="mid:CAJzKNY4b5eQbScx+ZKZgJzJQog1F+2J-VgAsTsFOeTm9zG=5SQ@mail.gmail.com"
type="cite" class="">
<div dir="ltr" class="">
<div class="">
<div class="">
<div class="">
<div class="">
<div class="">Hi,<br class="">
</div>
<br class="">
authnotrequired is set to 1 because <a
moz-do-not-send="true"
href="http://opac-memberentry.pl/"
class="">opac-memberentry.pl</a> is also
used by the self registration feature.<br
class="">
</div>
The patron information displayed is based on
the logged in user, not a parameter passed
to the script.<br class="">
<br class="">
</div>
Everything looks ok to me.<br class="">
<br class="">
</div>
Regards,<br class="">
</div>
Jonathan<br class="">
<br class="">
<div class="gmail_quote">
<div dir="ltr" class="">On Wed, 15 Mar 2017 at
12:18 Devinim Koha Development Team <<a
moz-do-not-send="true"
href="mailto:kohadevinim@devinim.com.tr"
class="">kohadevinim@devinim.com.tr</a>>
wrote:<br class="">
</div>
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"
class="gmail_msg">
<p class="gmail_msg">Hi all,</p>
<p class="gmail_msg">In the <a
moz-do-not-send="true"
href="http://opac-memberentry.pl/"
class="gmail_msg" target="_blank">opac-memberentry.pl</a>
authnotrequired area is 1 by default, in
that case, user information can be reached
without given a user authentication <br
class="gmail_msg">
</p>
<p class="gmail_msg">and this can lead some
vulnerabilites, do we miss something? We
were not able to understand why it is 1 by
default?</p>
<p class="gmail_msg">Thanks.<br
class="gmail_msg">
</p>
</div>
<div bgcolor="#FFFFFF" text="#000000"
class="gmail_msg">
<div class="
m_1657876652455208796moz-cite-prefix
gmail_msg">On 14-03-2017 11:33, Chris
Cormack wrote:<br class="gmail_msg">
</div>
<blockquote type="cite" class="gmail_msg">Hi,
<br class="gmail_msg">
<br class="gmail_msg">
Normally once they are released the
release maintainer shifts them out of
security. That one got missed, shifted now
<br class="gmail_msg">
<br class="gmail_msg">
Chris <br class="gmail_msg">
<br class="gmail_msg">
<div class="gmail_quote gmail_msg">On 14
March 2017 9:13:51 PM NZDT, Devinim Koha
Development Team <a
moz-do-not-send="true" class="
m_1657876652455208796moz-txt-link-rfc2396E
gmail_msg"
href="mailto:kohadevinim@devinim.com.tr"
target="_blank"><kohadevinim@devinim.com.tr></a>
wrote:
<blockquote class="gmail_quote
gmail_msg" style="margin:0pt 0pt 0pt
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<pre class="gmail_msg m_1657876652455208796k9mail">Hi all,
How can we see the fixes of security bugs?
We've faced with a vulnerability with Bug# 16969 in a new version, but
it's said that it was fixed in 3.22.10.
Thanks.
Devinim Koha Dev. Team
<hr class="gmail_msg">
Koha-devel mailing list
<a moz-do-not-send="true" class="gmail_msg m_1657876652455208796moz-txt-link-abbreviated" href="mailto:Koha-devel@lists.koha-community.org" target="_blank">Koha-devel@lists.koha-community.org</a>
<a moz-do-not-send="true" href="http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel" class="gmail_msg" target="_blank">http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel</a>
website : <a moz-do-not-send="true" href="http://www.koha-community.org/" class="gmail_msg" target="_blank">http://www.koha-community.org</a>/
git : <a moz-do-not-send="true" href="http://git.koha-community.org/" class="gmail_msg" target="_blank">http://git.koha-community.org</a>/
bugs : <a moz-do-not-send="true" href="http://bugs.koha-community.org/" class="gmail_msg" target="_blank">http://bugs.koha-community.org</a>/
</pre></blockquote></div>
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
</blockquote>
</div>_______________________________________________
Koha-devel mailing list
<a moz-do-not-send="true" href="mailto:Koha-devel@lists.koha-community.org" class="gmail_msg" target="_blank">Koha-devel@lists.koha-community.org</a>
<a moz-do-not-send="true" href="http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel" rel="noreferrer" class="gmail_msg" target="_blank">http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel</a>
website : <a moz-do-not-send="true" href="http://www.koha-community.org/" rel="noreferrer" class="gmail_msg" target="_blank">http://www.koha-community.org/</a>
git : <a moz-do-not-send="true" href="http://git.koha-community.org/" rel="noreferrer" class="gmail_msg" target="_blank">http://git.koha-community.org/</a>
bugs : <a moz-do-not-send="true" href="http://bugs.koha-community.org/" rel="noreferrer" class="gmail_msg" target="_blank">http://bugs.koha-community.org/</a></blockquote></div></div>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="" wrap="">_______________________________________________
Koha-devel mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Koha-devel@lists.koha-community.org">Koha-devel@lists.koha-community.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel">http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel</a>
website : <a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://www.koha-community.org/">http://www.koha-community.org/</a>
git : <a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://git.koha-community.org/">http://git.koha-community.org/</a>
bugs : <a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://bugs.koha-community.org/">http://bugs.koha-community.org/</a></pre>
</blockquote>
</div>_______________________________________________
Koha-devel mailing list
<a moz-do-not-send="true" href="mailto:Koha-devel@lists.koha-community.org" class="">Koha-devel@lists.koha-community.org</a>
<a class="moz-txt-link-freetext" href="http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel">http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel</a>
website : <a class="moz-txt-link-freetext" href="http://www.koha-community.org/">http://www.koha-community.org/</a>
git : <a class="moz-txt-link-freetext" href="http://git.koha-community.org/">http://git.koha-community.org/</a>
bugs : <a class="moz-txt-link-freetext" href="http://bugs.koha-community.org/">http://bugs.koha-community.org/</a></div></blockquote></div>
</div></div>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre wrap="">_______________________________________________
Koha-devel mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Koha-devel@lists.koha-community.org">Koha-devel@lists.koha-community.org</a>
<a class="moz-txt-link-freetext" href="http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel">http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel</a>
website : <a class="moz-txt-link-freetext" href="http://www.koha-community.org/">http://www.koha-community.org/</a>
git : <a class="moz-txt-link-freetext" href="http://git.koha-community.org/">http://git.koha-community.org/</a>
bugs : <a class="moz-txt-link-freetext" href="http://bugs.koha-community.org/">http://bugs.koha-community.org/</a></pre>
</blockquote>
</body></html>