Dear OpenXPKI users,we want to inform you, that two critical bugs have been found in OpenXPKI. Immediate action is recommended!
#1 Remote Code ExecutionImproper escaping of URL parameters can be used to inject Perl/Bash code running with the context of the webserver. This does *not* compromise private keys or sensitive data but can be used to hijack running frontend sessions with the assigned privileges or access the socket API as "System" user. An attacker must have a valid session to run this attack, the "anonymous" login shipped with the default config is sufficient.
#2 Cross-Site Request ForgerySome critical workflow actions can be triggered using Cross-Site Request Forgery. The worst scenario is the approval of a pending request when injected into the browser of a running session.
All versions published versions up to 1.16.6 are vulnerable! A new release 1.16.8 adressing the mentioned issues was published today, packages are available for Debian Jessie and Ubuntu Trusty on the package servers. Upgrades from 1.14 or later should work out of the box, if you update from earlier versions please check the upgrade hints on http://openxpki.readthedocs.io/en/latest/upgrading.html
with best regards Your OpenXPKI develoment team -- Protect your environment - close windows and adopt a penguin!
smime.p7s
Description: S/MIME Cryptographic Signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
