[Koha-devel] How to see security fixes
Devinim Koha Development Team
kohadevinim at devinim.com.tr
Wed Mar 15 17:35:00 CET 2017
BTW,
We have created this bug as #18275. We didnot put the script how to
crawl the data on the bug.
On 15-03-2017 19:27, Devinim Koha Development Team wrote:
> Hi,
> We have sent the code to the Jonathan Druart as he wanted
> and we can get all info without authorization even in 3.20.x, hence it
> should be fixed ASAP.
>
> Best regards,
> Devinim Koha Development Team
>
> On 15-03-2017 19:17, Stefano Bargioni wrote:
>> Uh..., probably it is not so good to publish security issues on a
>> public list.
>> The official way is
>> https://koha-community.org/security/
>> if I'm not wrong.
>> sb
>>
>>> On 15 Mar 2017, at 16:57, Devinim Koha Development Team
>>> <kohadevinim at devinim.com.tr <mailto:kohadevinim at devinim.com.tr>> wrote:
>>>
>>> Hi,
>>>
>>> In that case we can reach the user detailed information without
>>> giving a password by curl.
>>>
>>> If you want we can share the code how to get this information
>>> without authentication, from this list.
>>>
>>>
>>> On 15-03-2017 18:50, Jonathan Druart wrote:
>>>> Hi,
>>>>
>>>> authnotrequired is set to 1 because opac-memberentry.pl
>>>> <http://opac-memberentry.pl/> is also used by the self registration
>>>> feature.
>>>> The patron information displayed is based on the logged in user,
>>>> not a parameter passed to the script.
>>>>
>>>> Everything looks ok to me.
>>>>
>>>> Regards,
>>>> Jonathan
>>>>
>>>> On Wed, 15 Mar 2017 at 12:18 Devinim Koha Development Team
>>>> <kohadevinim at devinim.com.tr <mailto:kohadevinim at devinim.com.tr>> wrote:
>>>>
>>>> Hi all,
>>>>
>>>> In the opac-memberentry.pl <http://opac-memberentry.pl/>
>>>> authnotrequired area is 1 by default, in that case, user
>>>> information can be reached without given a user authentication
>>>>
>>>> and this can lead some vulnerabilites, do we miss something? We
>>>> were not able to understand why it is 1 by default?
>>>>
>>>> Thanks.
>>>>
>>>> On 14-03-2017 11:33, Chris Cormack wrote:
>>>>> Hi,
>>>>>
>>>>> Normally once they are released the release maintainer shifts
>>>>> them out of security. That one got missed, shifted now
>>>>>
>>>>> Chris
>>>>>
>>>>> On 14 March 2017 9:13:51 PM NZDT, Devinim Koha Development
>>>>> Team <kohadevinim at devinim.com.tr>
>>>>> <mailto:kohadevinim at devinim.com.tr> wrote:
>>>>>
>>>>> Hi all,
>>>>>
>>>>> How can we see the fixes of security bugs?
>>>>>
>>>>> We've faced with a vulnerability with Bug# 16969 in a new version, but
>>>>> it's said that it was fixed in 3.22.10.
>>>>>
>>>>>
>>>>> Thanks.
>>>>>
>>>>> Devinim Koha Dev. Team
>>>>>
>>>>> ------------------------------------------------------------------------
>>>>>
>>>>> Koha-devel mailing list
>>>>> Koha-devel at lists.koha-community.org
>>>>> <mailto:Koha-devel at lists.koha-community.org>
>>>>> http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
>>>>> website :http://www.koha-community.org <http://www.koha-community.org/>/
>>>>> git :http://git.koha-community.org <http://git.koha-community.org/>/
>>>>> bugs :http://bugs.koha-community.org
>>>>> <http://bugs.koha-community.org/>/
>>>>>
>>>>> -- Sent from my Android device with K-9 Mail. Please excuse my
>>>>> brevity.
>>>> _______________________________________________ Koha-devel
>>>> mailing list Koha-devel at lists.koha-community.org
>>>> <mailto:Koha-devel at lists.koha-community.org>
>>>> http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
>>>> website : http://www.koha-community.org/ git :
>>>> http://git.koha-community.org/ bugs :
>>>> http://bugs.koha-community.org/
>>>>
>>>> _______________________________________________
>>>> Koha-devel mailing list
>>>> Koha-devel at lists.koha-community.org
>>>> http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
>>>> website :http://www.koha-community.org/
>>>> git :http://git.koha-community.org/
>>>> bugs :http://bugs.koha-community.org/
>>> _______________________________________________ Koha-devel mailing
>>> list Koha-devel at lists.koha-community.org
>>> <mailto:Koha-devel at lists.koha-community.org>
>>> http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
>>> website : http://www.koha-community.org/ git :
>>> http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
>>
>> _______________________________________________
>> Koha-devel mailing list
>> Koha-devel at lists.koha-community.org
>> http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
>> website :http://www.koha-community.org/
>> git :http://git.koha-community.org/
>> bugs :http://bugs.koha-community.org/
>
> _______________________________________________
> Koha-devel mailing list
> Koha-devel at lists.koha-community.org
> http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
> website : http://www.koha-community.org/
> git : http://git.koha-community.org/
> bugs : http://bugs.koha-community.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.koha-community.org/pipermail/koha-devel/attachments/20170315/a561c188/attachment-0001.html>
More information about the Koha-devel
mailing list