[ixpmanager] Security Release - v3.6.19
Barry O'Donovan
barry.odonovan at inex.ie
Mon Nov 17 09:13:57 GMT 2014
IXP Manager v3.6.19 is now available as a security release for all
previous versions. We strongly encourage you to update your sites
immediately.
https://github.com/inex/IXP-Manager/releases/tag/v3.6.19
This release fixes a possible (already authenticated) user privilege
escalation via a stored XSS vulnerability and cookie robbery.
All vulnerabilities were found and responsibly reported by Alexandros
Zaharis, Security Officer at GRNET to whom we are very grateful.
IXP Manager v3.6.19 also contains other security changes:
* Reflective XSS vulnerability for non-authenticated users.
* Disabling a user account did not prevent them from logging in.
In addition to the security fixes, there is also a new feature: addition
of the euro-ix BCP data export format for IX members [1] as introduced
by Elisa Jasinska and Nick Hilliard at RIPE 69 (presentation [2] and
video [3]).
- Barry
[1]
https://www.euro-ix.net/documents/1453-ixp-member-list-json-schema-v0-3-txt?download=yes
[2] https://ripe69.ripe.net/presentations/94-1411-ej-ixp-json-api.pdf
[3] https://ripe69.ripe.net/archives/video/222
--
Kind regards,
Barry O'Donovan
INEX Operations
Mob: +353 86 801 7669
Tel: +353 1 685 4220
+-------------------------------+-------------------------------------+
| Open Source Solutions Ltd. | INEX Operations Team |
| Lynx House Old Church Road, | Internet Neutral Exchange |
| Lower Kilmacud Road, | Association, 4027 Kingswood Road, |
| Stillorgan, Co Dublin. | Citywest Business Campus, Dublin 24 |
| http://www.opensolutions.ie/ | http://www.inex.ie/ |
+-------------------------------+-------------------------------------+
More information about the ixpmanager
mailing list