[CKAN-Security] CKAN Security issue

Adrià Mercader adria.mercader at okfn.org
Tue Mar 26 10:40:04 UTC 2019


It's actually part of the documentation configuration (used to build
docs.ckan.org), not the actual CKAN configuration, so users are not meant
to modify it.

On Tue, 26 Mar 2019 at 11:22, Mohamed Hatab <hatab at master-works.net> wrote:

> Thanks Adrià , appreciate your support
>
> So it’s part of CKAN configuration and there is no any security issue?
>
>
>
> Best Regards,,,
>
> *Mohamed Hatab *
>
> *Software Development Manager*
>
> [image:
> https://ci3.googleusercontent.com/proxy/IvuKRkqYkIWVaHgj92BQmV_ge09TaX06NKUUM9K59NGfO2wVspcZOqefPm40STywePNq_A=s0-d-e1-ft#http://i.imgur.com/zgFfSnR.png]
>
> +966559495262 <http://+966505232233/>
>
>
>
>
>
> [image:
> https://ci5.googleusercontent.com/proxy/2F96crmVY6KjMe1Pb0RDlN1K6EC7_CcHlKOUtrJXzAVvUTT0LgrJbdLeKrjiwg6O4G2oJg=s0-d-e1-ft#http://i.imgur.com/mrN5fsq.png]
>
> +966114000014 <+966%2011%20400%200014>
>
>
>
>
>
> [image:
> https://ci5.googleusercontent.com/proxy/nUV6ZzpyRQEXHVOmh8M-vOudKR0PxUDRqEUaO2G_AnXEzffFSAs3h1fyh3w8iZeDtjnqBg=s0-d-e1-ft#http://i.imgur.com/Jl4147p.png]
>
> +966114000041 <+966%2011%20400%200041>
>
>
>
>
>
> [image:
> https://ci4.googleusercontent.com/proxy/TR5UTcqL6Hf_M5j9s8FAUk-M6tha19Ah5XoYpMBuUfklbG1fKybR_OJTBKfRDx_NT2uhgA=s0-d-e1-ft#http://i.imgur.com/nSzF67u.png]
>
> hatab at master-works.net <your%20eMail at master-works.net>
>
>
>
>
>
> [image:
> https://ci4.googleusercontent.com/proxy/x5QKF00_4a4MAbnSDiz5NhENP7-erUpRFE_HEKhihG9kZnsowvaTe0HR2-LiROAvaUzPkA=s0-d-e1-ft#http://i.imgur.com/mD4oVu1.png]
>
> www.master-works.net
>
>
>
>
>
> [image:
> https://ci3.googleusercontent.com/proxy/uHYsrH7OEM_RoMtfnvF8pRKZh0pVpUEAm9r95QNGZYV-lrGcru_cw3Pjmxhyl3XDQl-Ogg=s0-d-e1-ft#http://i.imgur.com/qQRa1FK.png]Riyadh,
> Saudi Arabia
> <https://www.google.com.sa/maps/place/Master+Works/@24.7586655,46.7122324,17z/data=!3m1!4b1!4m5!3m4!1s0x3e2efd8756f74c0d:0x2274ad319a955081!8m2!3d24.7586606!4d46.7144211?hl=en>
>
>
>
> [image:
> https://ci5.googleusercontent.com/proxy/ASKKKFa6mdzvkC_tYWyEMX9RUrJjNIJr4vPjad5iPVPOxdjCzGvId3Xsu6Sn4Y2EpmkGhQ=s0-d-e1-ft#http://i.imgur.com/UfKIAgg.png]
> <https://www.linkedin.com/in/hatab/>
>
> [image:
> https://ci5.googleusercontent.com/proxy/TsqSHz5RVBJkXzqzli8x3y1YRdcTg6KMGeaSDHV8poap8smq78sb8_z1yax9-82FpORn8w=s0-d-e1-ft#http://i.imgur.com/EXpPiSj.png]
>
>
>
>
>
> *From:* Adrià Mercader [mailto:adria.mercader at okfn.org]
> *Sent:* Tuesday, March 26, 2019 1:00 PM
> *To:* CKAN Security Alerts/Discussions <security at lists.okfn.org>;
> Mohammed Hatab <hatab at master-works.net>
> *Subject:* Re: [CKAN-Security] CKAN Security issue
>
>
>
> Hi Mohammed,
>
>
>
> Apologies for the late reply on this. The CKAN code base does not use
> pickling in any form, apart for the configuration of the Sphinx
> documentation, which is a controlled input.
>
> So the issue of unpickling untrusted or unathenticated source listed on
> your security report does not apply to CKAN.
>
>
>
> Hope this helps, let us know if you have any further questions.
>
>
>
> Best regards,
>
>
>
> Adrià
>
>
>
> On Thu, 21 Mar 2019 at 10:03, Mohamed Hatab <hatab at master-works.net>
> wrote:
>
> Dears appreciate you fast response its urgent.
>
>
>
> Best Regards,,,
>
> *Mohamed Hatab *
>
> *Software Development Manager*
>
> [image:
> https://ci3.googleusercontent.com/proxy/IvuKRkqYkIWVaHgj92BQmV_ge09TaX06NKUUM9K59NGfO2wVspcZOqefPm40STywePNq_A=s0-d-e1-ft#http://i.imgur.com/zgFfSnR.png]
>
> +966559495262 <http://+966505232233/>
>
>
>
>
>
> [image:
> https://ci5.googleusercontent.com/proxy/2F96crmVY6KjMe1Pb0RDlN1K6EC7_CcHlKOUtrJXzAVvUTT0LgrJbdLeKrjiwg6O4G2oJg=s0-d-e1-ft#http://i.imgur.com/mrN5fsq.png]
>
> +966114000014 <+966%2011%20400%200014>
>
>
>
>
>
> [image:
> https://ci5.googleusercontent.com/proxy/nUV6ZzpyRQEXHVOmh8M-vOudKR0PxUDRqEUaO2G_AnXEzffFSAs3h1fyh3w8iZeDtjnqBg=s0-d-e1-ft#http://i.imgur.com/Jl4147p.png]
>
> +966114000041 <+966%2011%20400%200041>
>
>
>
>
>
> [image:
> https://ci4.googleusercontent.com/proxy/TR5UTcqL6Hf_M5j9s8FAUk-M6tha19Ah5XoYpMBuUfklbG1fKybR_OJTBKfRDx_NT2uhgA=s0-d-e1-ft#http://i.imgur.com/nSzF67u.png]
>
> hatab at master-works.net <your%20eMail at master-works.net>
>
>
>
>
>
> [image:
> https://ci4.googleusercontent.com/proxy/x5QKF00_4a4MAbnSDiz5NhENP7-erUpRFE_HEKhihG9kZnsowvaTe0HR2-LiROAvaUzPkA=s0-d-e1-ft#http://i.imgur.com/mD4oVu1.png]
>
> www.master-works.net
>
>
>
>
>
> [image:
> https://ci3.googleusercontent.com/proxy/uHYsrH7OEM_RoMtfnvF8pRKZh0pVpUEAm9r95QNGZYV-lrGcru_cw3Pjmxhyl3XDQl-Ogg=s0-d-e1-ft#http://i.imgur.com/qQRa1FK.png]Riyadh,
> Saudi Arabia
> <https://www.google.com.sa/maps/place/Master+Works/@24.7586655,46.7122324,17z/data=!3m1!4b1!4m5!3m4!1s0x3e2efd8756f74c0d:0x2274ad319a955081!8m2!3d24.7586606!4d46.7144211?hl=en>
>
>
>
> [image:
> https://ci5.googleusercontent.com/proxy/ASKKKFa6mdzvkC_tYWyEMX9RUrJjNIJr4vPjad5iPVPOxdjCzGvId3Xsu6Sn4Y2EpmkGhQ=s0-d-e1-ft#http://i.imgur.com/UfKIAgg.png]
> <https://www.linkedin.com/in/hatab/>
>
> [image:
> https://ci5.googleusercontent.com/proxy/TsqSHz5RVBJkXzqzli8x3y1YRdcTg6KMGeaSDHV8poap8smq78sb8_z1yax9-82FpORn8w=s0-d-e1-ft#http://i.imgur.com/EXpPiSj.png]
>
>
>
>
>
> *From:* Mohamed Hatab [mailto:hatab at master-works.net]
> *Sent:* Tuesday, March 19, 2019 2:35 PM
> *To:* 'security at ckan.org' <security at ckan.org>
> *Subject:* CKAN Security issue
>
>
>
> Dear Team
>
> Hope you are doing well
>
> We have received the security report for the ckan and we got one critical
> issue as below.
>
>
>
> *Issue*
>
> *Severity*
>
> *Note*
>
> *Python pickle serialization*
>
> Critical
>
> The pickle module is not intended to be secure against erroneous or
> maliciously constructed data. Never unpickle data received from an
> untrusted or unauthenticated source
>
>
>
> Could you explain or share any references that prove there is no any
> security issues or risks or is there any other alternative solutions?
>
>
>
> Best Regards,,,
>
> *Mohamed Hatab *
>
> *Software Development Manager*
>
> [image:
> https://ci3.googleusercontent.com/proxy/IvuKRkqYkIWVaHgj92BQmV_ge09TaX06NKUUM9K59NGfO2wVspcZOqefPm40STywePNq_A=s0-d-e1-ft#http://i.imgur.com/zgFfSnR.png]
>
> +966559495262 <http://+966505232233/>
>
>
>
>
>
> [image:
> https://ci5.googleusercontent.com/proxy/2F96crmVY6KjMe1Pb0RDlN1K6EC7_CcHlKOUtrJXzAVvUTT0LgrJbdLeKrjiwg6O4G2oJg=s0-d-e1-ft#http://i.imgur.com/mrN5fsq.png]
>
> +966114000014 <+966%2011%20400%200014>
>
>
>
>
>
> [image:
> https://ci5.googleusercontent.com/proxy/nUV6ZzpyRQEXHVOmh8M-vOudKR0PxUDRqEUaO2G_AnXEzffFSAs3h1fyh3w8iZeDtjnqBg=s0-d-e1-ft#http://i.imgur.com/Jl4147p.png]
>
> +966114000041 <+966%2011%20400%200041>
>
>
>
>
>
> [image:
> https://ci4.googleusercontent.com/proxy/TR5UTcqL6Hf_M5j9s8FAUk-M6tha19Ah5XoYpMBuUfklbG1fKybR_OJTBKfRDx_NT2uhgA=s0-d-e1-ft#http://i.imgur.com/nSzF67u.png]
>
> hatab at master-works.net <your%20eMail at master-works.net>
>
>
>
>
>
> [image:
> https://ci4.googleusercontent.com/proxy/x5QKF00_4a4MAbnSDiz5NhENP7-erUpRFE_HEKhihG9kZnsowvaTe0HR2-LiROAvaUzPkA=s0-d-e1-ft#http://i.imgur.com/mD4oVu1.png]
>
> www.master-works.net
>
>
>
>
>
> [image:
> https://ci3.googleusercontent.com/proxy/uHYsrH7OEM_RoMtfnvF8pRKZh0pVpUEAm9r95QNGZYV-lrGcru_cw3Pjmxhyl3XDQl-Ogg=s0-d-e1-ft#http://i.imgur.com/qQRa1FK.png]Riyadh,
> Saudi Arabia
> <https://www.google.com.sa/maps/place/Master+Works/@24.7586655,46.7122324,17z/data=!3m1!4b1!4m5!3m4!1s0x3e2efd8756f74c0d:0x2274ad319a955081!8m2!3d24.7586606!4d46.7144211?hl=en>
>
>
>
> [image:
> https://ci5.googleusercontent.com/proxy/ASKKKFa6mdzvkC_tYWyEMX9RUrJjNIJr4vPjad5iPVPOxdjCzGvId3Xsu6Sn4Y2EpmkGhQ=s0-d-e1-ft#http://i.imgur.com/UfKIAgg.png]
> <https://www.linkedin.com/in/hatab/>
>
> [image:
> https://ci5.googleusercontent.com/proxy/TsqSHz5RVBJkXzqzli8x3y1YRdcTg6KMGeaSDHV8poap8smq78sb8_z1yax9-82FpORn8w=s0-d-e1-ft#http://i.imgur.com/EXpPiSj.png]
>
>
>
>
>
>
>
>
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient&utm_term=icon>
>
> Virus-free. www.avast.com
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient&utm_term=link>
>
> _______________________________________________
> CKAN security
> https://lists.okfn.org/mailman/listinfo/security
> https://lists.okfn.org/mailman/options/security/adria.mercader%40okfn.org
>
> Repo: https://github.com/ckan/ckan-security
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20190326/87209ed7/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 243 bytes
Desc: not available
URL: <https://lists.okfn.org/mailman/private/security/attachments/20190326/87209ed7/attachment-0008.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 360 bytes
Desc: not available
URL: <https://lists.okfn.org/mailman/private/security/attachments/20190326/87209ed7/attachment-0009.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 299 bytes
Desc: not available
URL: <https://lists.okfn.org/mailman/private/security/attachments/20190326/87209ed7/attachment-0010.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 312 bytes
Desc: not available
URL: <https://lists.okfn.org/mailman/private/security/attachments/20190326/87209ed7/attachment-0011.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.png
Type: image/png
Size: 467 bytes
Desc: not available
URL: <https://lists.okfn.org/mailman/private/security/attachments/20190326/87209ed7/attachment-0012.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image006.png
Type: image/png
Size: 350 bytes
Desc: not available
URL: <https://lists.okfn.org/mailman/private/security/attachments/20190326/87209ed7/attachment-0013.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image007.png
Type: image/png
Size: 600 bytes
Desc: not available
URL: <https://lists.okfn.org/mailman/private/security/attachments/20190326/87209ed7/attachment-0014.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image008.png
Type: image/png
Size: 25092 bytes
Desc: not available
URL: <https://lists.okfn.org/mailman/private/security/attachments/20190326/87209ed7/attachment-0015.png>


More information about the Security mailing list