[ixpmanager-announce] [RELEASE] V5.6.0 - Security Fix, Per-Member Document Store and Bug Fixes

Barry O'Donovan barry.odonovan at inex.ie
Fri May 29 14:54:41 IST 2020


Hi,

further detail as promised on the security issue corrected in v5.6.0:

Barry O'Donovan wrote on 23/05/2020 11:23:
> **Security Fix**
> 
> This release includes a fix for a security bug introduced in v4.9.0.
> 
> The bug allows a logged in non-administrator user to affect changes to a 
> non-service affecting database table.
> 
> To allow people a chance to upgrade, we will delay publishing more 
> information on the security issue until Friday, May 29th 2020. If any 
> IXP cannot upgrade in that time frame, please email any of myself, Nick 
> or Yann from an official IXP email address and we will provide a quick fix.
> 
> Credit to David Croft (@davidc), an elected member director of LONAP, 
> for finding and responsibly disclosing this issue.


The issue would allow logged in users to list, edit, add and delete 
contact groups. Importantly, when listing contacts of a specific group 
they would only have seen their own contacts, not all contacts defined 
in IXP Manager.

To be clear - no personal data exposure is possible via this issue.

More information on contact groups:

https://docs.ixpmanager.org/usage/contacts

If you wish to mitigate this quickly pending an upgrade, the fix is:

https://github.com/inex/IXP-Manager/commit/943d0f984c7ef0a2beb4494ab72b8e081c957c2e

Thanks,

   - Barry





More information about the ixpmanager-announce mailing list