Hello Luis, I have already informed you three month ago in a private, encrypted mail about this issue - solution was provided on 23 March, as well in an encrypted mail.
Release 3.6.4 was one month ago, and I had emphasized this to you as well. Too bad that it was ignored, as I just found out. Best, Axel Am Mittwoch, 17. Juni 2020, 13:29:55 CEST schrieb Luis Falcon: > Hi Axel, Johannes > > Axel, please before sending any potential vulnerability, practice > coordinated disclosure. Make sure you write to > "secur...@gnuhealth.org"[1] so we can discuss and apply the pertinent > patches if needed. > > This particular context is not critical, but if it would be the case, > you would be publicly exposing the vulnerability. > > Let me repeat: *ALWAYS* write privately to secur...@gnuhealth.org if you > think there is a vulnerability. > > I have noticed that > > https://bugzilla.opensuse.org/show_bug.cgi?id=1167126 > > and > > https://bugzilla.opensuse.org/show_bug.cgi?id=1167128 > > are public. > > > 1.- > https://en.wikibooks.org/wiki/GNU_Health/Security#Reporting_a_security_vulne > rability > > > On Tue, 16 Jun 2020 13:42:56 -0400 (EDT) > > Axel Braun <invalid.nore...@gnu.org> wrote: > > URL: > > <https://savannah.gnu.org/bugs/?58584> > > > > Summary: Various security issues for > > > > gnuhealth-control Project: GNU Health > > > > Submitted by: coogor > > Submitted on: Tue 16 Jun 2020 05:42:54 PM UTC > > > > Category: Security > > Severity: 4 - Important > > > > Item Group: None > > > > Status: None > > > > Privacy: Private > > > > Assigned to: None > > Open/Closed: Open > > > > Release: None > > > > Discussion Lock: Any > > > > Module: gnuhealth-control > > > > _______________________________________________________ > > > > Details: > > > > The SUSE security team has conducted an audit on gnuhealth-control > > and found issues related to: > > https://bugzilla.opensuse.org/show_bug.cgi?id=1167126 > > (Local privilege escalation in gnuhealth-control, use of static tmp > > file/http transport ) > > > > https://bugzilla.opensuse.org/show_bug.cgi?id=1167128 > > (Local DoS of backup functionality in gnuhealth-control due to use of > > static tmp files) > > > > These issues are fixed in gnuhaelth-control shipped with openSUSE, > > but not yet in gnuhealth-vanilla > > > > The attached gnuhealth-control should fix the issues mentioned above > > > > _______________________________________________________ > > > > File Attachments: > > > > > > ------------------------------------------------------- > > Date: Tue 16 Jun 2020 05:42:54 PM UTC Name: gnuhealth-control_364 > > Size: 19KiB By: coogor > > gnuhealth-control with fixes applied > > <http://savannah.gnu.org/bugs/download.php?file_id=49279> > > > > _______________________________________________________ > > > > Reply to this item at: > > <https://savannah.gnu.org/bugs/?58584> > > > > _______________________________________________ > > > > Message sent via Savannah > > https://savannah.gnu.org/ -- Dr.-Ing. Axel K. Braun M: +49.173.7003.154 T: @coogor Matrix: @docb:matrix.org PGP Fingerprint: 2E7F 3A19 A4A4 844A 3D09 7656 822D EB64 A3BA 290D Public Key available at http://www.axxite.com/axel.br...@gmx.de.asc Personal Freedom starts with free/libre Software ThinkPad T520 running openSUSE Tumbleweed 20200615
