Skip to:
Content
Pages
Categories
Search
Top
Bottom

Security Bug Report Contact


  • yehgdotnet
    Member

    @yehgdotnet

    It seems that contact emails and mailing lists might not be monitored.

    Are there any developers here so we report the issue privately?

    Thanks.

Viewing 20 replies - 51 through 70 (of 70 total)

  • citizenkeith
    Participant

    @citizenkeith

    Thanks for the reply, JJJ. I’m not a developer, so when I go to trac I’m easily overwhelmed by the number of tickets and not sure where to look for specifics.

    Sometimes it’s frustrating for users like me to get information about bbPress developments. I’d expect news to be posted here on the forum. Then there’s bbpdevel.wordpress.com, but that hasn’t been updated since September. I’m sure there’s info in IRC logs too. It seems there are many places for information to be posted, and it’s not always the place I expect it.

    Anyway, I really do appreciate the information, and I’m looking forward to 1.1 (and also an update to the 0.9 branch).


    citizenkeith
    Participant

    @citizenkeith

    Thanks for the reply, JJJ. I’m not a developer, so when I go to trac I’m easily overwhelmed by the number of tickets and not sure where to look for specifics.

    Sometimes it’s frustrating for users like me to get information about bbPress developments. I’d expect news to be posted here on the forum. Then there’s bbpdevel.wordpress.com, but that hasn’t been updated since September. I’m sure there’s info in IRC logs too. It seems there are many places for information to be posted, and it’s not always the place I expect it.

    Anyway, I really do appreciate the information, and I’m looking forward to 1.1 (and also an update to the 0.9 branch).


    _ck_
    Participant

    @_ck_

    Speaking of security, anyone using bb-attachments should please update to 0.2.8

    (you’ll only need to update bb-attachments-init.php)


    _ck_
    Participant

    @_ck_

    Speaking of security, anyone using bb-attachments should please update to 0.2.8

    (you’ll only need to update bb-attachments-init.php)


    Ashfame
    Participant

    @ashfame

    CK, I think it would be best to create a new topic also and sticky it!


    Ashfame
    Participant

    @ashfame

    CK, I think it would be best to create a new topic also and sticky it!


    _ck_
    Participant

    @_ck_

    @Ashfame, the bug is not really a showstopper and I am researching another possible issue.

    I need to update “check-for-updates” though.


    _ck_
    Participant

    @_ck_

    @Ashfame, the bug is not really a showstopper and I am researching another possible issue.

    I need to update “check-for-updates” though.


    Ashfame
    Participant

    @ashfame

    Alright! Your call.


    Ashfame
    Participant

    @ashfame

    Alright! Your call.


    _ck_
    Participant

    @_ck_

    They just announced it to the world this morning so I hope the 1.x users have upgraded to 1.0.3

    http://seclists.org/fulldisclosure/2011/Mar/155

    I suspect it was not enough time but there never is.

    Note that my “block-long-queries” mini-plugin will protect you from this kind of attack and other yet unknown ones via the URL (GET requests)

    http://bbpress.org/forums/topic/bbpress-103-released#post-84690

    It will work in both bbPress and WordPress

    There is really no reason to allow URIs to be longer than 255 characters but apache will allow up to 4000 by default which can carry a massive payload. I have seen some wordpress installs that need that limit bumped up to 320 or even 512, something about the akismet plugin needs very long URIs for some bad reason.


    _ck_
    Participant

    @_ck_

    They just announced it to the world this morning so I hope the 1.x users have upgraded to 1.0.3

    http://seclists.org/fulldisclosure/2011/Mar/155

    I suspect it was not enough time but there never is.

    Note that my “block-long-queries” mini-plugin will protect you from this kind of attack and other yet unknown ones via the URL (GET requests)

    http://bbpress.org/forums/topic/bbpress-103-released#post-84690

    It will work in both bbPress and WordPress

    There is really no reason to allow URIs to be longer than 255 characters but apache will allow up to 4000 by default which can carry a massive payload. I have seen some wordpress installs that need that limit bumped up to 320 or even 512, something about the akismet plugin needs very long URIs for some bad reason.


    Ashfame
    Participant

    @ashfame

    @_ck_ Can you take a look at the Trac for 1.3

    There was some talk that 1.0.3 was copied from the 1.0 branch and may not have all the fixes that were in the trunk. Unfortunately, I am not experienced with source control software so can’t make much sense out of it.


    Ashfame
    Participant

    @ashfame

    @_ck_ Can you take a look at the Trac for 1.3

    There was some talk that 1.0.3 was copied from the 1.0 branch and may not have all the fixes that were in the trunk. Unfortunately, I am not experienced with source control software so can’t make much sense out of it.


    _ck_
    Participant

    @_ck_

    Trac unfortunately doesn’t disclose where the tag was created from, the only documentation is the comment JJJ made.

    http://trac.bbpress.org/changeset/2930

    However it’s easy to test.

    Checkout a copy from the trunk, then do a “switch” to tag/1.0.3 and see what files (if any are changed).

    The SVN itself may disclose more details but let’s see what happens…

    ah no, I forgot the trunk is actually 1.1

    Yeah 1.0.3 is a branch from 1.0.2, not the trunk.

    If a fix wasn’t committed to the 1.0 branch, it won’t be in 1.0.3

    But you can always use the trunk for 1.1 preview


    _ck_
    Participant

    @_ck_

    Trac unfortunately doesn’t disclose where the tag was created from, the only documentation is the comment JJJ made.

    http://trac.bbpress.org/changeset/2930

    However it’s easy to test.

    Checkout a copy from the trunk, then do a “switch” to tag/1.0.3 and see what files (if any are changed).

    The SVN itself may disclose more details but let’s see what happens…

    ah no, I forgot the trunk is actually 1.1

    Yeah 1.0.3 is a branch from 1.0.2, not the trunk.

    If a fix wasn’t committed to the 1.0 branch, it won’t be in 1.0.3

    But you can always use the trunk for 1.1 preview


    Ashfame
    Participant

    @ashfame

    Thanks for the tip!

    Do you mean that 1.0.3 only contains the security fix applied on 1.0.2?


    Ashfame
    Participant

    @ashfame

    Thanks for the tip!

    Do you mean that 1.0.3 only contains the security fix applied on 1.0.2?


    John James Jacoby
    Keymaster

    @johnjamesjacoby

    Correct. 1.0.3 contains several security fixes to the existing 1.0 branch of code, which means no new major features or changes happened and it includes fixes to existing bugs.

    1.1 will see a release candidate soon.

    There was no announcement for 1.0.3 because when I tagged it, it required a new tag of BackPress and BuddyPress needed to be changed too. With 1.1 and the plugin coming soon, it just never got an official announcement.

    On a more personal note, my resources and bandwidth are spread between several projects at the moment, so switching contexts quickly is something I’m adjusting more to. An announcement about 1.0.3 will happen when an RC for 1.1 goes out, which should be in the next few days.


    John James Jacoby
    Keymaster

    @johnjamesjacoby

    Correct. 1.0.3 contains several security fixes to the existing 1.0 branch of code, which means no new major features or changes happened and it includes fixes to existing bugs.

    1.1 will see a release candidate soon.

    There was no announcement for 1.0.3 because when I tagged it, it required a new tag of BackPress and BuddyPress needed to be changed too. With 1.1 and the plugin coming soon, it just never got an official announcement.

    On a more personal note, my resources and bandwidth are spread between several projects at the moment, so switching contexts quickly is something I’m adjusting more to. An announcement about 1.0.3 will happen when an RC for 1.1 goes out, which should be in the next few days.

Viewing 20 replies - 51 through 70 (of 70 total)

The topic ‘Security Bug Report Contact’ is closed to new replies.