[ixpmanager-announce] [RELEASE] V5.6.0 - Security Fix, Per-Member Document Store and Bug Fixes
Barry O'Donovan
barry.odonovan at inex.ie
Fri May 29 14:54:41 IST 2020
Hi,
further detail as promised on the security issue corrected in v5.6.0:
Barry O'Donovan wrote on 23/05/2020 11:23:
> **Security Fix**
>
> This release includes a fix for a security bug introduced in v4.9.0.
>
> The bug allows a logged in non-administrator user to affect changes to a
> non-service affecting database table.
>
> To allow people a chance to upgrade, we will delay publishing more
> information on the security issue until Friday, May 29th 2020. If any
> IXP cannot upgrade in that time frame, please email any of myself, Nick
> or Yann from an official IXP email address and we will provide a quick fix.
>
> Credit to David Croft (@davidc), an elected member director of LONAP,
> for finding and responsibly disclosing this issue.
The issue would allow logged in users to list, edit, add and delete
contact groups. Importantly, when listing contacts of a specific group
they would only have seen their own contacts, not all contacts defined
in IXP Manager.
To be clear - no personal data exposure is possible via this issue.
More information on contact groups:
https://docs.ixpmanager.org/usage/contacts
If you wish to mitigate this quickly pending an upgrade, the fix is:
https://github.com/inex/IXP-Manager/commit/943d0f984c7ef0a2beb4494ab72b8e081c957c2e
Thanks,
- Barry
More information about the ixpmanager-announce
mailing list