Je vous fais suivre ce mail de joubu, si qqn peut se pencher
dessus et contribuer à le résoudre... (me tenir au courant svp)
-------- Message transféré --------
Hello everybody,
If you get this email I am expecting from you to talk about it to
whom
could be concerned.
Yesterday a bug (28929) was reported about a possible privilege
escalation.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=28929
It is confirmed and is highlighly critical in some cases, and stay
critical in all other cases. It's really bad.
Basically we are missing filtering on patron's data when we create
or
edit a patron. Which means a user can edit whichever info they
want,
by modifying the DOM of the page.
And, it includes borrowers.flags (that's where it hurts really
badly).
It impacts both OPAC and Staff interfaces.
What you should do:
1. Reduce the risks!
* Disable PatronSelfRegistration (!)
* Disable AutoApprovePatronProfileSettings (!) or you can totally
disable OPACPatronDetails
2. Make sure the staff interface is not accessible to the world
3. Remove old librarian accounts
4. Something else you have in mind? If so, please share!
Then you should (or ask your team to) help us. We will need people
on
the bug to:
1. Write patches and discuss the best approach to fix the
different
issues (there are patches already)
2. Test! and test! We will have to test on five different versions
(master+4 stables)!
3. QA, and *really* review, all the different versions (we really
want
to prevent a mess publishing a fix that will introduce
regressions).
We will then need to coordinate.
A plan (to discuss) could be:
1. Tell the big actors to be ready for an urgent release (This is
the
goal of this email!)
2. Make the patches ready for the different versions (see the
above)
3. Have all the packages ready, before we communicate publicly
(Mason,
will you be available?)
4. Tell the people we know to upgrade (so, you, and those who are
aware of the problem)
5. Announce publicly
What do you think?
This info should not be public, but please communicate as much as
you
can around you (people you trust of course).
No need to over communicate either, as we are not ready yet!
If you don't have access to the bug, just tell me (or Tomas,
Katrin,
Martin, Nick, etc.)
Cheers,
Jonathan