[CKAN-Security] [ckan-dev] New patch releases, next Wednesday 3rd July

Cam Findlay Cam.Findlay at dia.govt.nz
Thu Jul 18 04:55:20 UTC 2019


Hi again Adrià,

Just to let you know I touched base with the security email you suggested but we've heard nothing back.

We have an XSS issue to raise in CKAN when used alongside the DCAT module and outputting json-ld into the markup.

Happy to share the steps to replicate if you like. We've put a fix in our product and happy to do a more coordinated disclosure with you folk to give people time to patch (literally a 1 line fix to escape the generated json). 


Many thanks,

Cam Findlay | Lead Product Owner | Government Information Services
The Department of Internal Affairs Te Tari Taiwhenua
DDI: +64 4 819 8968 | Extn: 4351 | Mobile: +64 21 263 0351
www.data.govt.nz






-----Original Message-----
From: Adrià Mercader <adria.mercader at okfn.org> 
Sent: Thursday, 27 June 2019 7:54 PM
To: Cam Findlay <Cam.Findlay at dia.govt.nz>
Subject: Re: [ckan-dev] New patch releases, next Wednesday 3rd July

Hi Cam,

Thanks for reaching out. The releases branches that will eventually become the patch releases are the dev-v2.X one. I can also provide debian packages for these if you'd like.

To discuss security related issues please reach out to security at ckan.org, which forwards privately to the tech team

Best,

Adrià

On Thu, 27 Jun 2019 at 01:07, Cam Findlay <Cam.Findlay at dia.govt.nz> wrote:
>
> Hi Adrià,
>
>
>
> Cam here from data.govt.nz (been a while since we touched base via GitHub!).
>
>
>
> Are you staging these patch releases somewhere on a release candidate branch we can have a pre look at what’s in the box?
>
>
>
> Also, just to let you know we’ve just run a pen test over our implementation of CKAN and have found a potential vulnerability in ckan/ckan core.
>
>
>
> What is the best way to do a coordinated disclosure with you?
>
>
>
> C.
>
>
>
>
>
>
>
> From: Cam Findlay <cam at camfindlay.com>
> Sent: Thursday, 27 June 2019 11:03 AM
> To: Cam Findlay <Cam.Findlay at dia.govt.nz>
> Subject: Fwd: [ckan-dev] New patch releases, next Wednesday 3rd July
>
>
>
>
>
> ---------- Forwarded message ---------
> From: Adrià Mercader <adria.mercader at okfn.org>
> Date: Wed, 26 Jun 2019 at 21:45
> Subject: [ckan-dev] New patch releases, next Wednesday 3rd July
> To: CKAN Development Discussions <ckan-dev at lists.okfn.org>, 
> <ckan-announce at lists.okfn.org>
>
>
>
> Hi all,
>
> Next Wednesday 3rd July around 13:00 UTC (15:00 CEST, 09:00 EST) we 
> will be releasing patch releases for the following previous versions:
>
> 2.8.x -> 2.8.3
> 2.7.x -> 2.7.6
> 2.6.x -> 2.6.8
>
> Users are strongly encouraged to always run on the latest patch 
> release for their version, as these include important security and 
> stability fixes. The latest patch release is the only one supported by 
> the CKAN team (patch releases don't contain backwards incompatible 
> changes and upgrading should be straightforward).
>
> More information about CKAN releases can be found here:
>
> http://docs.ckan.org/en/latest/maintaining/upgrading/index.html#ckan-r
> eleases
>
> Best,
>
> Adrià
> _______________________________________________
> ckan-dev mailing list
> ckan-dev at lists.okfn.org
> https://lists.okfn.org/mailman/listinfo/ckan-dev
> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev


More information about the Security mailing list