Hi Axel, Johannes Axel, please before sending any potential vulnerability, practice coordinated disclosure. Make sure you write to "secur...@gnuhealth.org"[1] so we can discuss and apply the pertinent patches if needed.
This particular context is not critical, but if it would be the case, you would be publicly exposing the vulnerability. Let me repeat: *ALWAYS* write privately to secur...@gnuhealth.org if you think there is a vulnerability. I have noticed that https://bugzilla.opensuse.org/show_bug.cgi?id=1167126 and https://bugzilla.opensuse.org/show_bug.cgi?id=1167128 are public. 1.- https://en.wikibooks.org/wiki/GNU_Health/Security#Reporting_a_security_vulnerability On Tue, 16 Jun 2020 13:42:56 -0400 (EDT) Axel Braun <invalid.nore...@gnu.org> wrote: > URL: > <https://savannah.gnu.org/bugs/?58584> > > Summary: Various security issues for > gnuhealth-control Project: GNU Health > Submitted by: coogor > Submitted on: Tue 16 Jun 2020 05:42:54 PM UTC > Category: Security > Severity: 4 - Important > Item Group: None > Status: None > Privacy: Private > Assigned to: None > Open/Closed: Open > Release: None > Discussion Lock: Any > Module: gnuhealth-control > > _______________________________________________________ > > Details: > > The SUSE security team has conducted an audit on gnuhealth-control > and found issues related to: > https://bugzilla.opensuse.org/show_bug.cgi?id=1167126 > (Local privilege escalation in gnuhealth-control, use of static tmp > file/http transport ) > > https://bugzilla.opensuse.org/show_bug.cgi?id=1167128 > (Local DoS of backup functionality in gnuhealth-control due to use of > static tmp files) > > These issues are fixed in gnuhaelth-control shipped with openSUSE, > but not yet in gnuhealth-vanilla > > The attached gnuhealth-control should fix the issues mentioned above > > > > > > _______________________________________________________ > > File Attachments: > > > ------------------------------------------------------- > Date: Tue 16 Jun 2020 05:42:54 PM UTC Name: gnuhealth-control_364 > Size: 19KiB By: coogor > gnuhealth-control with fixes applied > <http://savannah.gnu.org/bugs/download.php?file_id=49279> > > _______________________________________________________ > > Reply to this item at: > > <https://savannah.gnu.org/bugs/?58584> > > _______________________________________________ > Message sent via Savannah > https://savannah.gnu.org/ > >
