[ckan-committers] Help reaching out to vulnerable CKANs

Adrià Mercader adria.mercader at okfn.org
Fri Sep 22 13:53:29 UTC 2017


Hi all,

We are working on the patch releases for next week on this. Would be good
if you could check if you have contacts on these instances.

@Joel perhaps Open Philly? http://opendataphilly.org

@Steven lots of aussie sites there, including data.gov.au

Thanks and have a great weekend

On 18 September 2017 at 17:39, Sebastian Moleski <smoleski at viderum.com>
wrote:

> Hi Adria,
>
>
>
> Obviously, we’re happy to publish availability of this patch through all
> our communication channels as well as reach out to our existing and past
> clients about it. For our hosted clients and trials, we’ll patch as soon as
> possible.
>
>
>
> I’ve also requested access to that spreadsheet for smoleski at viderum.com
> so that we can check for which of these portals we might already have
> contact information.
>
>
>
> Please let me know if there’s anything else we can do.
>
>
>
> Best,
>
>
>
> *Sebastian Moleski*
>
> Chief Executive Officer
>
>
>
> Viderum <https://www.viderum.com/> - making the world’s public data
> discoverable and accessible to everyone
>
> https://www.viderum.com/  |  @videruminc <https://twitter.com/videruminc>
>
>
>
>
>
>
>
> *From:* ckan-steering-group at googlegroups.com [mailto:ckan-steering-group@
> googlegroups.com] *On Behalf Of *Adrià Mercader
> *Sent:* Monday, September 18, 2017 4:57 PM
> *To:* CKAN Association Steering Group <ckan-steering-group@
> googlegroups.com>
> *Cc:* ckan-committers at lists.okfn.org
> *Subject:* Help reaching out to vulnerable CKANs
>
>
>
> Hi all,
>
>
>
> You might be aware of this via a developer, but last week we had a public
> report of a vulnerability in CKAN that affects all versions since 2.0
>
>
>
> This is nothing new, we regularly patch security holes in our patch
> releases, but the difference is that this time the vulnerability has been
> reported to a bug bounty website. There were around 20 CKAN sites reported,
> including National instances like Australia, Singapore, etc One example:
>
>
>
> https://www.openbugbounty.org/reports/294186/
>
>
>
> The way these sites work is that they give a period of time to patch the
> vulnerability but then they make it public. They also notify the website
> owners, although I'm not clear how successful they were on that.
>
>
>
> We have decided to release a quick security patch next week and try to
> reach at least the sites listed on the bounty website (again, all CKANs are
> vulnerable, but these were the ones reported).
>
>
>
> Some of these sites are managed by vendors on the SG, some you might have
> a contact we can reach there.
>
>
>
> The idea is to ask them to upgrade to the latest patch release if they are
> running a supported version (CKAN >= 2.4) or apply the patch directly if
> not.
>
>
>
> Could you access this spreadsheet (please request access with whatever
> email you use) and fill the contact field if you manage or have a contact
> on that particular site?
>
>
>
> https://docs.google.com/spreadsheets/d/1qG4iBfBZwcPg2i-
> KbFkPV4TvpCH94hVJPSYWcg8IKCs/edit#gid=2069917099
>
>
>
>
>
> Going forward we need to address people not running the latest patch
> version and having their sites vulnerable, because sadly that's the most
> common scenario.
>
>
>
> Thanks,
>
>
>
> Adrià
>
> --
> You received this message because you are subscribed to the Google Groups
> "CKAN Association Steering Group" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ckan-steering-group+unsubscribe at googlegroups.com.
> To post to this group, send email to ckan-steering-group at googlegroups.com.
> To view this discussion on the web, visit https://groups.google.com/d/
> msgid/ckan-steering-group/CAGJR8i%2B7kRdfUBMAO-ZQoyUzcMmzyqabMST%
> 3DpPScppQugNWS9w%40mail.gmail.com
> <https://groups.google.com/d/msgid/ckan-steering-group/CAGJR8i%2B7kRdfUBMAO-ZQoyUzcMmzyqabMST%3DpPScppQugNWS9w%40mail.gmail.com?utm_medium=email&utm_source=footer>
> .
> For more options, visit https://groups.google.com/d/optout.
>
> --
> You received this message because you are subscribed to the Google Groups
> "CKAN Association Steering Group" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ckan-steering-group+unsubscribe at googlegroups.com.
> To post to this group, send email to ckan-steering-group at googlegroups.com.
> To view this discussion on the web, visit https://groups.google.com/d/
> msgid/ckan-steering-group/DM5PR1701MB1692F8E857FCE0320F7
> AECF0C8630%40DM5PR1701MB1692.namprd17.prod.outlook.com
> <https://groups.google.com/d/msgid/ckan-steering-group/DM5PR1701MB1692F8E857FCE0320F7AECF0C8630%40DM5PR1701MB1692.namprd17.prod.outlook.com?utm_medium=email&utm_source=footer>
> .
> For more options, visit https://groups.google.com/d/optout.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/ckan-committers/attachments/20170922/eaf34c03/attachment-0003.html>


More information about the ckan-committers mailing list