Uh..., probably it is not so good to publish security issues on a public list. The official way is https://koha-community.org/security/ <https://koha-community.org/security/> if I'm not wrong. sb
On 15 Mar 2017, at 16:57, Devinim Koha Development Team <kohadevinim@devinim.com.tr> wrote:
Hi,
In that case we can reach the user detailed information without giving a password by curl.
If you want we can share the code how to get this information without authentication, from this list.
On 15-03-2017 18:50, Jonathan Druart wrote:
Hi,
authnotrequired is set to 1 because opac-memberentry.pl <http://opac-memberentry.pl/> is also used by the self registration feature. The patron information displayed is based on the logged in user, not a parameter passed to the script.
Everything looks ok to me.
Regards, Jonathan
On Wed, 15 Mar 2017 at 12:18 Devinim Koha Development Team <kohadevinim@devinim.com.tr <mailto:kohadevinim@devinim.com.tr>> wrote: Hi all,
In the opac-memberentry.pl <http://opac-memberentry.pl/> authnotrequired area is 1 by default, in that case, user information can be reached without given a user authentication and this can lead some vulnerabilites, do we miss something? We were not able to understand why it is 1 by default?
Thanks. On 14-03-2017 11:33, Chris Cormack wrote:
Hi,
Normally once they are released the release maintainer shifts them out of security. That one got missed, shifted now
Chris
On 14 March 2017 9:13:51 PM NZDT, Devinim Koha Development Team <kohadevinim@devinim.com.tr> <mailto:kohadevinim@devinim.com.tr> wrote: Hi all,
How can we see the fixes of security bugs?
We've faced with a vulnerability with Bug# 16969 in a new version, but it's said that it was fixed in 3.22.10.
Thanks.
Devinim Koha Dev. Team
Koha-devel mailing list Koha-devel@lists.koha-community.org <mailto:Koha-devel@lists.koha-community.org> http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel <http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel> website : http://www.koha-community.org <http://www.koha-community.org/>/ git : http://git.koha-community.org <http://git.koha-community.org/>/ bugs : http://bugs.koha-community.org <http://bugs.koha-community.org/>/ -- Sent from my Android device with K-9 Mail. Please excuse my brevity. _______________________________________________ Koha-devel mailing list Koha-devel@lists.koha-community.org <mailto:Koha-devel@lists.koha-community.org> http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel <http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel> website : http://www.koha-community.org/ <http://www.koha-community.org/> git : http://git.koha-community.org/ <http://git.koha-community.org/>bugs : http://bugs.koha-community.org/ <http://bugs.koha-community.org/>
Koha-devel mailing list Koha-devel@lists.koha-community.org <mailto:Koha-devel@lists.koha-community.org> http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel <http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel> website : http://www.koha-community.org/ <http://www.koha-community.org/> git : http://git.koha-community.org/ <http://git.koha-community.org/> bugs : http://bugs.koha-community.org/ <http://bugs.koha-community.org/>_______________________________________________ Koha-devel mailing list Koha-devel@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/