If you know have a security issue, attack vector, or other
griefer-loophole report, please file a Private Mantis. It's been
confirmed these can be seen only by you and by Ubit. I've filed
several, and Ubit has been super responsive with feedback, questions,
and fixes. The Private/Public pulldown is at the bottom of the Mantis
reporting form.
Git users: How to Enable Dependabot:
https://docs.github.com/en/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/configuring-dependabot-security-updates
Outworldz Dependabot for this issue:
https://github.com/Outworldz/DreamWorld/pulls?q=is%3Apr+is%3Aclosed
I closed this Depndabot back in Feb 2021 after much offline discussion
with Ubit. We do not have a mechanism for user-uploadable changes to
the config files that this attack depends on.
To some people, the idea that DTDs are a security risk may sound more
like paranoia than good sense, but I don't believe those people are
correct. A healthy paranoia is what we need. Since log4J is running
wild in the field it's been a positive thing to shine more light on this.
Fred
_______________________________________________
Opensim-dev mailing list
Opensim-dev@opensimulator.org
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev
