Security alert 0000002

From StatusNet

All release versions of StatusNet (0.7.x, 0.8.x, 0.9.x) are subject to a local file include vulnerability that makes it possible for an attacker to read arbitrary files on the file system. The vulnerability is in the online documentation system.

Additionally, beta versions of StatusNet (0.9.x) are subject to a local file include vulnerability in the system for sharing uploaded files in a private site.

Thanks to Mark Piper for identifying the first vulnerability and to Brion Vibber for finding the similar second one.

[edit] News

• 1 Feb 2010 09:00AM EST - vulnerability reported.
• 1 Feb 2010 10:30AM EST - vulnerability confirmed.
• 1 Feb 2010 12:00PM EST - fixes pushed to 0.7.x, 0.8.x, 0.9.x, master, testing branches in Git.
• 1 Feb 2010 12:00PM EST - fixes pushed to status.net cloud service and applied to all sites including identi.ca.
• 1 Feb 2010 14:00PM EST - release of versions 0.7.5, 0.8.3, and 0.9.0beta5 that include security fix.
• 1 Feb 2010 14:00PM EST - blog post on status.net describing the security vulnerability

[edit] Fix

Currently fixes are available in all branches of the project on status.net and gitorious.

• 0.8.4 and 0.9.0beta5 http://status.net/download
• 0.7.x - use laconica-0.7.5.tar.gz
• 0.8.x - use statusnet-0.8.3.tar.gz
• 0.9.x - use statusnet-0.9.0beta5.tar.gz

New releases of all branches will be made available this afternoon EST.