Download links will be added to the alert page:
http://status.net/wiki/Security_alert_0000002
---------
All release versions of StatusNet (0.7.x, 0.8.x, 0.9.x) are subject to a
local file include vulnerability that makes it possible for an attacker
to read arbitrary files on the file system. The vulnerability is in the
online documentation system.
Additionally, beta versions of StatusNet (0.9.x) are subject to a local
file include vulnerability in the system for sharing uploaded files in a
private site.
Thanks to Mark Piper for identifying the first vulnerability and to
Brion Vibber for finding the similar second one.
== News ==
* 1 Feb 2010 09:00AM EST - vulnerability reported.
* 1 Feb 2010 10:30AM EST - vulnerability confirmed.
* 1 Feb 2010 12:00PM EST - fixes pushed to 0.7.x, 0.8.x, 0.9.x, master,
testing branches in Git.
* 1 Feb 2010 12:00PM EST - fixes pushed to status.net cloud service and
applied to all sites including identi.ca.
== Fix ==
Currently fixes are available in all branches of the project on gitorious.
New releases of all branches will be made available this afternoon EST.
---------
-- brion vibber (brion @ status.net)
Senior Software Architect
StatusNet, Inc.
San Francisco
_______________________________________________
StatusNet-dev mailing list
[email protected]
http://lists.status.net/mailman/listinfo/statusnet-dev
