This afternoon (16h20 CET) a user of Indefero found a security vulnerability in Indefero. This vulnerability affects all the release of Indefero up to 0.8.9, release 0.8.10 (released less than 1h30 after the report of the vulnerability) provides a fix.
The vulnerability is in the git serving component. If a project is marked as private and the source available in read only to extra users, other users of the forge with a valid SSH key can have access to the project in read only mode if they know the short name of the project. In the case of the hosted offer, a user from another forge could not access the projects of your forge, the vulnerability was isolated at the forge level.
If you are using the hosted offer, the issue has already been fixed. If you have your own version of Indefero, here are the three possible ways to fix the vulnerability:
I am really sorry for this vulnerability, if you have any questions, do not hesitate to contact me through the mailing list or directly.
Feb 19, 2010
Read more news with tag: InDefero, ...
© Céondo Ltd, 2007-2013. All rights reserved.