[Koha-devel] How to see security fixes

Devinim Koha Development Team kohadevinim at devinim.com.tr
Wed Mar 15 17:35:00 CET 2017 

BTW,

We have created this bug as #18275.  We didnot put the script how to 
crawl the data on the bug.


On 15-03-2017 19:27, Devinim Koha Development Team wrote:
> Hi,
> We have sent the code to the Jonathan Druart as he wanted
> and we can get all info without authorization even in 3.20.x, hence it 
> should be fixed ASAP.
>
> Best regards,
> Devinim Koha Development Team
>
> On 15-03-2017 19:17, Stefano Bargioni wrote:
>> Uh..., probably it is not so good to publish security issues on a 
>> public list.
>> The official way is
>> https://koha-community.org/security/
>> if I'm not wrong.
>> sb
>>
>>> On 15 Mar 2017, at 16:57, Devinim Koha Development Team 
>>> <kohadevinim at devinim.com.tr <mailto:kohadevinim at devinim.com.tr>> wrote:
>>>
>>> Hi,
>>>
>>> In that case we can reach the user detailed information without 
>>> giving a password by curl.
>>>
>>> If you want we can share the code how to get this information 
>>> without authentication, from this list.
>>>
>>>
>>> On 15-03-2017 18:50, Jonathan Druart wrote:
>>>> Hi,
>>>>
>>>> authnotrequired is set to 1 because opac-memberentry.pl 
>>>> <http://opac-memberentry.pl/> is also used by the self registration 
>>>> feature.
>>>> The patron information displayed is based on the logged in user, 
>>>> not a parameter passed to the script.
>>>>
>>>> Everything looks ok to me.
>>>>
>>>> Regards,
>>>> Jonathan
>>>>
>>>> On Wed, 15 Mar 2017 at 12:18 Devinim Koha Development Team 
>>>> <kohadevinim at devinim.com.tr <mailto:kohadevinim at devinim.com.tr>> wrote:
>>>>
>>>>     Hi all,
>>>>
>>>>     In the opac-memberentry.pl <http://opac-memberentry.pl/>
>>>>     authnotrequired area is 1 by default, in that case, user
>>>>     information can be reached without given a user authentication
>>>>
>>>>     and this can lead some vulnerabilites, do we miss something? We
>>>>     were not able to understand why it is 1 by default?
>>>>
>>>>     Thanks.
>>>>
>>>>     On 14-03-2017 11:33, Chris Cormack wrote:
>>>>>     Hi,
>>>>>
>>>>>     Normally once they are released the release maintainer shifts
>>>>>     them out of security. That one got missed, shifted now
>>>>>
>>>>>     Chris
>>>>>
>>>>>     On 14 March 2017 9:13:51 PM NZDT, Devinim Koha Development
>>>>>     Team <kohadevinim at devinim.com.tr>
>>>>>     <mailto:kohadevinim at devinim.com.tr> wrote:
>>>>>
>>>>>         Hi all,
>>>>>
>>>>>         How can we see the fixes of security bugs?
>>>>>
>>>>>         We've faced with a vulnerability with Bug# 16969 in a new version, but
>>>>>         it's said that it was fixed in 3.22.10.
>>>>>
>>>>>
>>>>>         Thanks.
>>>>>
>>>>>         Devinim Koha Dev. Team
>>>>>
>>>>>         ------------------------------------------------------------------------
>>>>>
>>>>>         Koha-devel mailing list
>>>>>         Koha-devel at lists.koha-community.org
>>>>>         <mailto:Koha-devel at lists.koha-community.org>
>>>>>         http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
>>>>>         website :http://www.koha-community.org <http://www.koha-community.org/>/
>>>>>         git :http://git.koha-community.org <http://git.koha-community.org/>/
>>>>>         bugs :http://bugs.koha-community.org
>>>>>         <http://bugs.koha-community.org/>/
>>>>>
>>>>>     -- Sent from my Android device with K-9 Mail. Please excuse my
>>>>>     brevity. 
>>>>     _______________________________________________ Koha-devel
>>>>     mailing list Koha-devel at lists.koha-community.org
>>>>     <mailto:Koha-devel at lists.koha-community.org>
>>>>     http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
>>>>     website : http://www.koha-community.org/ git :
>>>>     http://git.koha-community.org/ bugs :
>>>>     http://bugs.koha-community.org/
>>>>
>>>> _______________________________________________
>>>> Koha-devel mailing list
>>>> Koha-devel at lists.koha-community.org
>>>> http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
>>>> website :http://www.koha-community.org/
>>>> git :http://git.koha-community.org/
>>>> bugs :http://bugs.koha-community.org/
>>> _______________________________________________ Koha-devel mailing 
>>> list Koha-devel at lists.koha-community.org 
>>> <mailto:Koha-devel at lists.koha-community.org> 
>>> http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel 
>>> website : http://www.koha-community.org/ git : 
>>> http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
>>
>> _______________________________________________
>> Koha-devel mailing list
>> Koha-devel at lists.koha-community.org
>> http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
>> website :http://www.koha-community.org/
>> git :http://git.koha-community.org/
>> bugs :http://bugs.koha-community.org/
>
> _______________________________________________
> Koha-devel mailing list
> Koha-devel at lists.koha-community.org
> http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
> website : http://www.koha-community.org/
> git : http://git.koha-community.org/
> bugs : http://bugs.koha-community.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.koha-community.org/pipermail/koha-devel/attachments/20170315/a561c188/attachment-0001.html>

More information about the Koha-devel mailing list