[CKAN-Security] [ckan-dev] New patch releases, next Wednesday 3rd July

Thu Jul 18 10:25:42 UTC 2019

Sorry Cam, maybe your original message got lost in the moderation queue,
would you mind submitting it again?

On Thu, 18 Jul 2019 at 06:55, Cam Findlay <Cam.Findlay at dia.govt.nz> wrote:

> Hi again Adrià,
>
> Just to let you know I touched base with the security email you suggested
> but we've heard nothing back.
>
> We have an XSS issue to raise in CKAN when used alongside the DCAT module
> and outputting json-ld into the markup.
>
> Happy to share the steps to replicate if you like. We've put a fix in our
> product and happy to do a more coordinated disclosure with you folk to give
> people time to patch (literally a 1 line fix to escape the generated json).
>
>
> Many thanks,
>
> Cam Findlay | Lead Product Owner | Government Information Services
> The Department of Internal Affairs Te Tari Taiwhenua
> DDI: +64 4 819 8968 | Extn: 4351 | Mobile: +64 21 263 0351
> www.data.govt.nz
>
>
>
>
>
>
> -----Original Message-----
> From: Adrià Mercader <adria.mercader at okfn.org>
> Sent: Thursday, 27 June 2019 7:54 PM
> To: Cam Findlay <Cam.Findlay at dia.govt.nz>
> Subject: Re: [ckan-dev] New patch releases, next Wednesday 3rd July
>
> Hi Cam,
>
> Thanks for reaching out. The releases branches that will eventually become
> the patch releases are the dev-v2.X one. I can also provide debian packages
> for these if you'd like.
>
> To discuss security related issues please reach out to security at ckan.org,
> which forwards privately to the tech team
>
> Best,
>
> Adrià
>
> On Thu, 27 Jun 2019 at 01:07, Cam Findlay <Cam.Findlay at dia.govt.nz> wrote:
> >
> > Hi Adrià,
> >
> >
> >
> > Cam here from data.govt.nz (been a while since we touched base via
> GitHub!).
> >
> >
> >
> > Are you staging these patch releases somewhere on a release candidate
> branch we can have a pre look at what’s in the box?
> >
> >
> >
> > Also, just to let you know we’ve just run a pen test over our
> implementation of CKAN and have found a potential vulnerability in
> ckan/ckan core.
> >
> >
> >
> > What is the best way to do a coordinated disclosure with you?
> >
> >
> >
> > C.
> >
> >
> >
> >
> >
> >
> >
> > From: Cam Findlay <cam at camfindlay.com>
> > Sent: Thursday, 27 June 2019 11:03 AM
> > To: Cam Findlay <Cam.Findlay at dia.govt.nz>
> > Subject: Fwd: [ckan-dev] New patch releases, next Wednesday 3rd July
> >
> >
> >
> >
> >
> > ---------- Forwarded message ---------
> > From: Adrià Mercader <adria.mercader at okfn.org>
> > Date: Wed, 26 Jun 2019 at 21:45
> > Subject: [ckan-dev] New patch releases, next Wednesday 3rd July
> > To: CKAN Development Discussions <ckan-dev at lists.okfn.org>,
> > <ckan-announce at lists.okfn.org>
> >
> >
> >
> > Hi all,
> >
> > Next Wednesday 3rd July around 13:00 UTC (15:00 CEST, 09:00 EST) we
> > will be releasing patch releases for the following previous versions:
> >
> > 2.8.x -> 2.8.3
> > 2.7.x -> 2.7.6
> > 2.6.x -> 2.6.8
> >
> > Users are strongly encouraged to always run on the latest patch
> > release for their version, as these include important security and
> > stability fixes. The latest patch release is the only one supported by
> > the CKAN team (patch releases don't contain backwards incompatible
> > changes and upgrading should be straightforward).
> >
> > More information about CKAN releases can be found here:
> >
> > http://docs.ckan.org/en/latest/maintaining/upgrading/index.html#ckan-r
> > eleases
> >
> > Best,
> >
> > Adrià
> > _______________________________________________
> > ckan-dev mailing list
> > ckan-dev at lists.okfn.org
> > https://lists.okfn.org/mailman/listinfo/ckan-dev
> > Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20190718/cf205a3c/attachment-0001.html>