health-dev
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Health-dev] [bug #58584] Various security issues for gnuhealth-cont

From: Luis Falcon
Subject: Re: [Health-dev] [bug #58584] Various security issues for gnuhealth-control
Date: Wed, 17 Jun 2020 12:29:55 +0100 
Hi Axel, Johannes

Axel, please before sending any potential vulnerability, practice
coordinated disclosure. Make sure you write to
"security@gnuhealth.org"[1] so we can discuss and apply the pertinent
patches if needed.

This particular context is not critical, but if it would be the case,
you would be publicly exposing the vulnerability.

Let me repeat: *ALWAYS* write privately to security@gnuhealth.org if you
think there is a vulnerability.

I have noticed that

https://bugzilla.opensuse.org/show_bug.cgi?id=1167126

and

https://bugzilla.opensuse.org/show_bug.cgi?id=1167128

are public.


1.-
https://en.wikibooks.org/wiki/GNU_Health/Security#Reporting_a_security_vulnerability


On Tue, 16 Jun 2020 13:42:56 -0400 (EDT)
Axel Braun <INVALID.NOREPLY@gnu.org> wrote:

> URL:
>   <https://savannah.gnu.org/bugs/?58584>
> 
>                  Summary: Various security issues for
> gnuhealth-control Project: GNU Health
>             Submitted by: coogor
>             Submitted on: Tue 16 Jun 2020 05:42:54 PM UTC
>                 Category: Security
>                 Severity: 4 - Important
>               Item Group: None
>                   Status: None
>                  Privacy: Private
>              Assigned to: None
>              Open/Closed: Open
>                  Release: None
>          Discussion Lock: Any
>                   Module: gnuhealth-control
> 
>     _______________________________________________________
> 
> Details:
> 
> The SUSE security team has conducted an audit on gnuhealth-control
> and found issues related to:
> https://bugzilla.opensuse.org/show_bug.cgi?id=1167126
> (Local privilege escalation in gnuhealth-control, use of static tmp
> file/http transport )
> 
> https://bugzilla.opensuse.org/show_bug.cgi?id=1167128
> (Local DoS of backup functionality in gnuhealth-control due to use of
> static tmp files)
> 
> These issues are fixed in gnuhaelth-control shipped with openSUSE,
> but not yet in gnuhealth-vanilla
> 
> The attached gnuhealth-control should fix the issues mentioned above
> 
> 
> 
> 
> 
>     _______________________________________________________
> 
> File Attachments:
> 
> 
> -------------------------------------------------------
> Date: Tue 16 Jun 2020 05:42:54 PM UTC  Name: gnuhealth-control_364
> Size: 19KiB   By: coogor
> gnuhealth-control with fixes applied
> <http://savannah.gnu.org/bugs/download.php?file_id=49279>
> 
>     _______________________________________________________
> 
> Reply to this item at:
> 
>   <https://savannah.gnu.org/bugs/?58584>
> 
> _______________________________________________
>   Message sent via Savannah
>   https://savannah.gnu.org/
> 
>
reply via email to
[Prev in Thread] Current Thread [Next in Thread]