[ckan-committers] Help reaching out to vulnerable CKANs

Adrià Mercader adria.mercader at okfn.org
Mon Sep 18 14:56:44 UTC 2017


Hi all,

You might be aware of this via a developer, but last week we had a public
report of a vulnerability in CKAN that affects all versions since 2.0

This is nothing new, we regularly patch security holes in our patch
releases, but the difference is that this time the vulnerability has been
reported to a bug bounty website. There were around 20 CKAN sites reported,
including National instances like Australia, Singapore, etc One example:

https://www.openbugbounty.org/reports/294186/

The way these sites work is that they give a period of time to patch the
vulnerability but then they make it public. They also notify the website
owners, although I'm not clear how successful they were on that.

We have decided to release a quick security patch next week and try to
reach at least the sites listed on the bounty website (again, all CKANs are
vulnerable, but these were the ones reported).

Some of these sites are managed by vendors on the SG, some you might have a
contact we can reach there.

The idea is to ask them to upgrade to the latest patch release if they are
running a supported version (CKAN >= 2.4) or apply the patch directly if
not.

Could you access this spreadsheet (please request access with whatever
email you use) and fill the contact field if you manage or have a contact
on that particular site?

https://docs.google.com/spreadsheets/d/1qG4iBfBZwcPg2i-KbFkPV4TvpCH94hVJPSYWcg8IKCs/edit#gid=2069917099


Going forward we need to address people not running the latest patch
version and having their sites vulnerable, because sadly that's the most
common scenario.

Thanks,

Adrià
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/ckan-committers/attachments/20170918/909e7505/attachment-0002.html>


More information about the ckan-committers mailing list