[CKAN-Security] CKAN Security issue

Mohamed Hatab hatab at master-works.net
Tue Mar 26 10:22:04 UTC 2019 

Thanks Adrià , appreciate your support 

So it’s part of CKAN configuration and there is no any security issue?

 




Best Regards,,, 


Mohamed Hatab 


Software Development Manager





 <http://+966505232233/> +966559495262

 

 




 <tel:+966%2011%20400%200014> +966114000014

 

 





 <tel:+966%2011%20400%200041> +966114000041

 

 




 <mailto:your%20eMail at master-works.net> hatab at master-works.net

 

 




 <http://www.master-works.net/> www.master-works.net

 

 



 <https://www.google.com.sa/maps/place/Master+Works/@24.7586655,46.7122324,17z/data=!3m1!4b1!4m5!3m4!1s0x3e2efd8756f74c0d:0x2274ad319a955081!8m2!3d24.7586606!4d46.7144211?hl=en> Riyadh, Saudi Arabia

 


 <https://www.linkedin.com/in/hatab/> 



 

 

From: Adrià Mercader [mailto:adria.mercader at okfn.org] 
Sent: Tuesday, March 26, 2019 1:00 PM
To: CKAN Security Alerts/Discussions <security at lists.okfn.org>; Mohammed Hatab <hatab at master-works.net>
Subject: Re: [CKAN-Security] CKAN Security issue

 

Hi Mohammed,

 

Apologies for the late reply on this. The CKAN code base does not use pickling in any form, apart for the configuration of the Sphinx documentation, which is a controlled input.

So the issue of unpickling untrusted or unathenticated source listed on your security report does not apply to CKAN.

 

Hope this helps, let us know if you have any further questions.

 

Best regards,

 

Adrià

 

On Thu, 21 Mar 2019 at 10:03, Mohamed Hatab <hatab at master-works.net <mailto:hatab at master-works.net> > wrote:

Dears appreciate you fast response its urgent.

 




Best Regards,,, 


Mohamed Hatab 


Software Development Manager





 <http://+966505232233/> +966559495262

 

 




 <tel:+966%2011%20400%200014> +966114000014

 

 





 <tel:+966%2011%20400%200041> +966114000041

 

 




hatab at master-works.net <mailto:your%20eMail at master-works.net> 

 

 




 <http://www.master-works.net/> www.master-works.net

 

 



 <https://www.google.com.sa/maps/place/Master+Works/@24.7586655,46.7122324,17z/data=!3m1!4b1!4m5!3m4!1s0x3e2efd8756f74c0d:0x2274ad319a955081!8m2!3d24.7586606!4d46.7144211?hl=en> Riyadh, Saudi Arabia

 


 <https://www.linkedin.com/in/hatab/> 



 

 

From: Mohamed Hatab [mailto:hatab at master-works.net <mailto:hatab at master-works.net> ] 
Sent: Tuesday, March 19, 2019 2:35 PM
To: 'security at ckan.org <mailto:security at ckan.org> ' <security at ckan.org <mailto:security at ckan.org> >
Subject: CKAN Security issue

 

Dear Team

Hope you are doing well

We have received the security report for the ckan and we got one critical issue as below.

 


Issue

Severity

Note


Python pickle serialization

Critical

The pickle module is not intended to be secure against erroneous or maliciously constructed data. Never unpickle data received from an untrusted or unauthenticated source

 

Could you explain or share any references that prove there is no any security issues or risks or is there any other alternative solutions?

 




Best Regards,,, 


Mohamed Hatab 


Software Development Manager





 <http://+966505232233/> +966559495262

 

 




 <tel:+966%2011%20400%200014> +966114000014

 

 





 <tel:+966%2011%20400%200041> +966114000041

 

 




hatab at master-works.net <mailto:your%20eMail at master-works.net> 

 

 




 <http://www.master-works.net/> www.master-works.net

 

 



 <https://www.google.com.sa/maps/place/Master+Works/@24.7586655,46.7122324,17z/data=!3m1!4b1!4m5!3m4!1s0x3e2efd8756f74c0d:0x2274ad319a955081!8m2!3d24.7586606!4d46.7144211?hl=en> Riyadh, Saudi Arabia

 


 <https://www.linkedin.com/in/hatab/> 



 

 

 


 <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient&utm_term=icon> 

Virus-free.  <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient&utm_term=link> www.avast.com 

_______________________________________________
CKAN security
https://lists.okfn.org/mailman/listinfo/security
https://lists.okfn.org/mailman/options/security/adria.mercader%40okfn.org

Repo: https://github.com/ckan/ckan-security



---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20190326/1cc2f29e/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 243 bytes
Desc: not available
URL: <https://lists.okfn.org/mailman/private/security/attachments/20190326/1cc2f29e/attachment-0008.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 360 bytes
Desc: not available
URL: <https://lists.okfn.org/mailman/private/security/attachments/20190326/1cc2f29e/attachment-0009.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 299 bytes
Desc: not available
URL: <https://lists.okfn.org/mailman/private/security/attachments/20190326/1cc2f29e/attachment-0010.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 312 bytes
Desc: not available
URL: <https://lists.okfn.org/mailman/private/security/attachments/20190326/1cc2f29e/attachment-0011.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.png
Type: image/png
Size: 467 bytes
Desc: not available
URL: <https://lists.okfn.org/mailman/private/security/attachments/20190326/1cc2f29e/attachment-0012.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image006.png
Type: image/png
Size: 350 bytes
Desc: not available
URL: <https://lists.okfn.org/mailman/private/security/attachments/20190326/1cc2f29e/attachment-0013.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image007.png
Type: image/png
Size: 600 bytes
Desc: not available
URL: <https://lists.okfn.org/mailman/private/security/attachments/20190326/1cc2f29e/attachment-0014.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image008.png
Type: image/png
Size: 25092 bytes
Desc: not available
URL: <https://lists.okfn.org/mailman/private/security/attachments/20190326/1cc2f29e/attachment-0015.png>

More information about the Security mailing list