[Koha-devel] How to see security fixes

Devinim Koha Development Team kohadevinim at devinim.com.tr
Wed Mar 15 17:27:04 CET 2017 

Hi,
We have sent the code to the Jonathan Druart as he wanted
and we can get all info without authorization even in 3.20.x, hence it 
should be fixed ASAP.

Best regards,
Devinim Koha Development Team

On 15-03-2017 19:17, Stefano Bargioni wrote:
> Uh..., probably it is not so good to publish security issues on a 
> public list.
> The official way is
> https://koha-community.org/security/
> if I'm not wrong.
> sb
>
>> On 15 Mar 2017, at 16:57, Devinim Koha Development Team 
>> <kohadevinim at devinim.com.tr <mailto:kohadevinim at devinim.com.tr>> wrote:
>>
>> Hi,
>>
>> In that case we can reach the user detailed information without 
>> giving a password by curl.
>>
>> If you want we can share the code how to get this information without 
>> authentication, from this list.
>>
>>
>> On 15-03-2017 18:50, Jonathan Druart wrote:
>>> Hi,
>>>
>>> authnotrequired is set to 1 because opac-memberentry.pl 
>>> <http://opac-memberentry.pl/> is also used by the self registration 
>>> feature.
>>> The patron information displayed is based on the logged in user, not 
>>> a parameter passed to the script.
>>>
>>> Everything looks ok to me.
>>>
>>> Regards,
>>> Jonathan
>>>
>>> On Wed, 15 Mar 2017 at 12:18 Devinim Koha Development Team 
>>> <kohadevinim at devinim.com.tr <mailto:kohadevinim at devinim.com.tr>> wrote:
>>>
>>>     Hi all,
>>>
>>>     In the opac-memberentry.pl <http://opac-memberentry.pl/>
>>>     authnotrequired area is 1 by default, in that case, user
>>>     information can be reached without given a user authentication
>>>
>>>     and this can lead some vulnerabilites, do we miss something? We
>>>     were not able to understand why it is 1 by default?
>>>
>>>     Thanks.
>>>
>>>     On 14-03-2017 11:33, Chris Cormack wrote:
>>>>     Hi,
>>>>
>>>>     Normally once they are released the release maintainer shifts
>>>>     them out of security. That one got missed, shifted now
>>>>
>>>>     Chris
>>>>
>>>>     On 14 March 2017 9:13:51 PM NZDT, Devinim Koha Development Team
>>>>     <kohadevinim at devinim.com.tr>
>>>>     <mailto:kohadevinim at devinim.com.tr> wrote:
>>>>
>>>>         Hi all,
>>>>
>>>>         How can we see the fixes of security bugs?
>>>>
>>>>         We've faced with a vulnerability with Bug# 16969 in a new version, but
>>>>         it's said that it was fixed in 3.22.10.
>>>>
>>>>
>>>>         Thanks.
>>>>
>>>>         Devinim Koha Dev. Team
>>>>
>>>>         ------------------------------------------------------------------------
>>>>
>>>>         Koha-devel mailing list
>>>>         Koha-devel at lists.koha-community.org
>>>>         <mailto:Koha-devel at lists.koha-community.org>
>>>>         http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
>>>>         website :http://www.koha-community.org <http://www.koha-community.org/>/
>>>>         git :http://git.koha-community.org <http://git.koha-community.org/>/
>>>>         bugs :http://bugs.koha-community.org
>>>>         <http://bugs.koha-community.org/>/
>>>>
>>>>     -- Sent from my Android device with K-9 Mail. Please excuse my
>>>>     brevity. 
>>>     _______________________________________________ Koha-devel
>>>     mailing list Koha-devel at lists.koha-community.org
>>>     <mailto:Koha-devel at lists.koha-community.org>
>>>     http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
>>>     website : http://www.koha-community.org/ git :
>>>     http://git.koha-community.org/ bugs :
>>>     http://bugs.koha-community.org/
>>>
>>> _______________________________________________
>>> Koha-devel mailing list
>>> Koha-devel at lists.koha-community.org
>>> http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
>>> website :http://www.koha-community.org/
>>> git :http://git.koha-community.org/
>>> bugs :http://bugs.koha-community.org/
>> _______________________________________________ Koha-devel mailing 
>> list Koha-devel at lists.koha-community.org 
>> <mailto:Koha-devel at lists.koha-community.org> 
>> http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel 
>> website : http://www.koha-community.org/ git : 
>> http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
>
> _______________________________________________
> Koha-devel mailing list
> Koha-devel at lists.koha-community.org
> http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
> website : http://www.koha-community.org/
> git : http://git.koha-community.org/
> bugs : http://bugs.koha-community.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.koha-community.org/pipermail/koha-devel/attachments/20170315/30fa5524/attachment.html>

More information about the Koha-devel mailing list