[CKAN-Security] CKAN Security issue

Adrià Mercader adria.mercader at okfn.org
Tue Mar 26 10:00:25 UTC 2019


Hi Mohammed,

Apologies for the late reply on this. The CKAN code base does not use
pickling in any form, apart for the configuration of the Sphinx
documentation, which is a controlled input.
So the issue of unpickling untrusted or unathenticated source listed on
your security report does not apply to CKAN.

Hope this helps, let us know if you have any further questions.

Best regards,

Adrià

On Thu, 21 Mar 2019 at 10:03, Mohamed Hatab <hatab at master-works.net> wrote:

> Dears appreciate you fast response its urgent.
>
>
>
> Best Regards,,,
>
> *Mohamed Hatab *
>
> *Software Development Manager*
>
> [image:
> https://ci3.googleusercontent.com/proxy/IvuKRkqYkIWVaHgj92BQmV_ge09TaX06NKUUM9K59NGfO2wVspcZOqefPm40STywePNq_A=s0-d-e1-ft#http://i.imgur.com/zgFfSnR.png]
>
> +966559495262 <http://+966505232233/>
>
>
>
>
>
> [image:
> https://ci5.googleusercontent.com/proxy/2F96crmVY6KjMe1Pb0RDlN1K6EC7_CcHlKOUtrJXzAVvUTT0LgrJbdLeKrjiwg6O4G2oJg=s0-d-e1-ft#http://i.imgur.com/mrN5fsq.png]
>
> +966114000014 <+966%2011%20400%200014>
>
>
>
>
>
> [image:
> https://ci5.googleusercontent.com/proxy/nUV6ZzpyRQEXHVOmh8M-vOudKR0PxUDRqEUaO2G_AnXEzffFSAs3h1fyh3w8iZeDtjnqBg=s0-d-e1-ft#http://i.imgur.com/Jl4147p.png]
>
> +966114000041 <+966%2011%20400%200041>
>
>
>
>
>
> [image:
> https://ci4.googleusercontent.com/proxy/TR5UTcqL6Hf_M5j9s8FAUk-M6tha19Ah5XoYpMBuUfklbG1fKybR_OJTBKfRDx_NT2uhgA=s0-d-e1-ft#http://i.imgur.com/nSzF67u.png]
>
> hatab at master-works.net <your%20eMail at master-works.net>
>
>
>
>
>
> [image:
> https://ci4.googleusercontent.com/proxy/x5QKF00_4a4MAbnSDiz5NhENP7-erUpRFE_HEKhihG9kZnsowvaTe0HR2-LiROAvaUzPkA=s0-d-e1-ft#http://i.imgur.com/mD4oVu1.png]
>
> www.master-works.net
>
>
>
>
>
> [image:
> https://ci3.googleusercontent.com/proxy/uHYsrH7OEM_RoMtfnvF8pRKZh0pVpUEAm9r95QNGZYV-lrGcru_cw3Pjmxhyl3XDQl-Ogg=s0-d-e1-ft#http://i.imgur.com/qQRa1FK.png]Riyadh,
> Saudi Arabia
> <https://www.google.com.sa/maps/place/Master+Works/@24.7586655,46.7122324,17z/data=!3m1!4b1!4m5!3m4!1s0x3e2efd8756f74c0d:0x2274ad319a955081!8m2!3d24.7586606!4d46.7144211?hl=en>
>
>
>
> [image:
> https://ci5.googleusercontent.com/proxy/ASKKKFa6mdzvkC_tYWyEMX9RUrJjNIJr4vPjad5iPVPOxdjCzGvId3Xsu6Sn4Y2EpmkGhQ=s0-d-e1-ft#http://i.imgur.com/UfKIAgg.png]
> <https://www.linkedin.com/in/hatab/>
>
> [image:
> https://ci5.googleusercontent.com/proxy/TsqSHz5RVBJkXzqzli8x3y1YRdcTg6KMGeaSDHV8poap8smq78sb8_z1yax9-82FpORn8w=s0-d-e1-ft#http://i.imgur.com/EXpPiSj.png]
>
>
>
>
>
> *From:* Mohamed Hatab [mailto:hatab at master-works.net]
> *Sent:* Tuesday, March 19, 2019 2:35 PM
> *To:* 'security at ckan.org' <security at ckan.org>
> *Subject:* CKAN Security issue
>
>
>
> Dear Team
>
> Hope you are doing well
>
> We have received the security report for the ckan and we got one critical
> issue as below.
>
>
>
> *Issue*
>
> *Severity*
>
> *Note*
>
> *Python pickle serialization*
>
> Critical
>
> The pickle module is not intended to be secure against erroneous or
> maliciously constructed data. Never unpickle data received from an
> untrusted or unauthenticated source
>
>
>
> Could you explain or share any references that prove there is no any
> security issues or risks or is there any other alternative solutions?
>
>
>
> Best Regards,,,
>
> *Mohamed Hatab *
>
> *Software Development Manager*
>
> [image:
> https://ci3.googleusercontent.com/proxy/IvuKRkqYkIWVaHgj92BQmV_ge09TaX06NKUUM9K59NGfO2wVspcZOqefPm40STywePNq_A=s0-d-e1-ft#http://i.imgur.com/zgFfSnR.png]
>
> +966559495262 <http://+966505232233/>
>
>
>
>
>
> [image:
> https://ci5.googleusercontent.com/proxy/2F96crmVY6KjMe1Pb0RDlN1K6EC7_CcHlKOUtrJXzAVvUTT0LgrJbdLeKrjiwg6O4G2oJg=s0-d-e1-ft#http://i.imgur.com/mrN5fsq.png]
>
> +966114000014 <+966%2011%20400%200014>
>
>
>
>
>
> [image:
> https://ci5.googleusercontent.com/proxy/nUV6ZzpyRQEXHVOmh8M-vOudKR0PxUDRqEUaO2G_AnXEzffFSAs3h1fyh3w8iZeDtjnqBg=s0-d-e1-ft#http://i.imgur.com/Jl4147p.png]
>
> +966114000041 <+966%2011%20400%200041>
>
>
>
>
>
> [image:
> https://ci4.googleusercontent.com/proxy/TR5UTcqL6Hf_M5j9s8FAUk-M6tha19Ah5XoYpMBuUfklbG1fKybR_OJTBKfRDx_NT2uhgA=s0-d-e1-ft#http://i.imgur.com/nSzF67u.png]
>
> hatab at master-works.net <your%20eMail at master-works.net>
>
>
>
>
>
> [image:
> https://ci4.googleusercontent.com/proxy/x5QKF00_4a4MAbnSDiz5NhENP7-erUpRFE_HEKhihG9kZnsowvaTe0HR2-LiROAvaUzPkA=s0-d-e1-ft#http://i.imgur.com/mD4oVu1.png]
>
> www.master-works.net
>
>
>
>
>
> [image:
> https://ci3.googleusercontent.com/proxy/uHYsrH7OEM_RoMtfnvF8pRKZh0pVpUEAm9r95QNGZYV-lrGcru_cw3Pjmxhyl3XDQl-Ogg=s0-d-e1-ft#http://i.imgur.com/qQRa1FK.png]Riyadh,
> Saudi Arabia
> <https://www.google.com.sa/maps/place/Master+Works/@24.7586655,46.7122324,17z/data=!3m1!4b1!4m5!3m4!1s0x3e2efd8756f74c0d:0x2274ad319a955081!8m2!3d24.7586606!4d46.7144211?hl=en>
>
>
>
> [image:
> https://ci5.googleusercontent.com/proxy/ASKKKFa6mdzvkC_tYWyEMX9RUrJjNIJr4vPjad5iPVPOxdjCzGvId3Xsu6Sn4Y2EpmkGhQ=s0-d-e1-ft#http://i.imgur.com/UfKIAgg.png]
> <https://www.linkedin.com/in/hatab/>
>
> [image:
> https://ci5.googleusercontent.com/proxy/TsqSHz5RVBJkXzqzli8x3y1YRdcTg6KMGeaSDHV8poap8smq78sb8_z1yax9-82FpORn8w=s0-d-e1-ft#http://i.imgur.com/EXpPiSj.png]
>
>
>
>
>
>
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient&utm_term=icon> Virus-free.
> www.avast.com
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient&utm_term=link>
> <#m_-1463410167801851658_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
> _______________________________________________
> CKAN security
> https://lists.okfn.org/mailman/listinfo/security
> https://lists.okfn.org/mailman/options/security/adria.mercader%40okfn.org
>
> Repo: https://github.com/ckan/ckan-security
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20190326/2e427317/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 243 bytes
Desc: not available
URL: <https://lists.okfn.org/mailman/private/security/attachments/20190326/2e427317/attachment-0008.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 360 bytes
Desc: not available
URL: <https://lists.okfn.org/mailman/private/security/attachments/20190326/2e427317/attachment-0009.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 299 bytes
Desc: not available
URL: <https://lists.okfn.org/mailman/private/security/attachments/20190326/2e427317/attachment-0010.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 312 bytes
Desc: not available
URL: <https://lists.okfn.org/mailman/private/security/attachments/20190326/2e427317/attachment-0011.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.png
Type: image/png
Size: 467 bytes
Desc: not available
URL: <https://lists.okfn.org/mailman/private/security/attachments/20190326/2e427317/attachment-0012.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image006.png
Type: image/png
Size: 350 bytes
Desc: not available
URL: <https://lists.okfn.org/mailman/private/security/attachments/20190326/2e427317/attachment-0013.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image007.png
Type: image/png
Size: 600 bytes
Desc: not available
URL: <https://lists.okfn.org/mailman/private/security/attachments/20190326/2e427317/attachment-0014.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image008.png
Type: image/png
Size: 25092 bytes
Desc: not available
URL: <https://lists.okfn.org/mailman/private/security/attachments/20190326/2e427317/attachment-0015.png>


More information about the Security mailing list