[ckan-committers] Help reaching out to vulnerable CKANs

Mon Sep 18 16:39:35 UTC 2017

Hi Adria,

Obviously, we’re happy to publish availability of this patch through all our communication channels as well as reach out to our existing and past clients about it. For our hosted clients and trials, we’ll patch as soon as possible.

I’ve also requested access to that spreadsheet for smoleski at viderum.com<mailto:smoleski at viderum.com> so that we can check for which of these portals we might already have contact information.

Please let me know if there’s anything else we can do.

Best,

Sebastian Moleski
Chief Executive Officer

Viderum<https://www.viderum.com/> - making the world’s public data discoverable and accessible to everyone
https://www.viderum.com/  |  @videruminc<https://twitter.com/videruminc>

From: ckan-steering-group at googlegroups.com [mailto:ckan-steering-group at googlegroups.com] On Behalf Of Adrià Mercader
Sent: Monday, September 18, 2017 4:57 PM
To: CKAN Association Steering Group <ckan-steering-group at googlegroups.com>
Cc: ckan-committers at lists.okfn.org
Subject: Help reaching out to vulnerable CKANs

Hi all,

You might be aware of this via a developer, but last week we had a public report of a vulnerability in CKAN that affects all versions since 2.0

This is nothing new, we regularly patch security holes in our patch releases, but the difference is that this time the vulnerability has been reported to a bug bounty website. There were around 20 CKAN sites reported, including National instances like Australia, Singapore, etc One example:

https://www.openbugbounty.org/reports/294186/

The way these sites work is that they give a period of time to patch the vulnerability but then they make it public. They also notify the website owners, although I'm not clear how successful they were on that.

We have decided to release a quick security patch next week and try to reach at least the sites listed on the bounty website (again, all CKANs are vulnerable, but these were the ones reported).

Some of these sites are managed by vendors on the SG, some you might have a contact we can reach there.

The idea is to ask them to upgrade to the latest patch release if they are running a supported version (CKAN >= 2.4) or apply the patch directly if not.

Could you access this spreadsheet (please request access with whatever email you use) and fill the contact field if you manage or have a contact on that particular site?

https://docs.google.com/spreadsheets/d/1qG4iBfBZwcPg2i-KbFkPV4TvpCH94hVJPSYWcg8IKCs/edit#gid=2069917099

Going forward we need to address people not running the latest patch version and having their sites vulnerable, because sadly that's the most common scenario.

Thanks,

Adrià
--
You received this message because you are subscribed to the Google Groups "CKAN Association Steering Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ckan-steering-group+unsubscribe at googlegroups.com<mailto:ckan-steering-group+unsubscribe at googlegroups.com>.
To post to this group, send email to ckan-steering-group at googlegroups.com<mailto:ckan-steering-group at googlegroups.com>.
To view this discussion on the web, visit https://groups.google.com/d/msgid/ckan-steering-group/CAGJR8i%2B7kRdfUBMAO-ZQoyUzcMmzyqabMST%3DpPScppQugNWS9w%40mail.gmail.com<https://groups.google.com/d/msgid/ckan-steering-group/CAGJR8i%2B7kRdfUBMAO-ZQoyUzcMmzyqabMST%3DpPScppQugNWS9w%40mail.gmail.com?utm_medium=email&utm_source=footer>.
For more options, visit https://groups.google.com/d/optout.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/ckan-committers/attachments/20170918/e23304ac/attachment-0003.html>