Security Bug Report Contact
-
It seems that contact emails and mailing lists might not be monitored.
Are there any developers here so we report the issue privately?
Thanks.
-
Thanks for the reply, JJJ. I’m not a developer, so when I go to trac I’m easily overwhelmed by the number of tickets and not sure where to look for specifics.
Sometimes it’s frustrating for users like me to get information about bbPress developments. I’d expect news to be posted here on the forum. Then there’s bbpdevel.wordpress.com, but that hasn’t been updated since September. I’m sure there’s info in IRC logs too. It seems there are many places for information to be posted, and it’s not always the place I expect it.
Anyway, I really do appreciate the information, and I’m looking forward to 1.1 (and also an update to the 0.9 branch).
Thanks for the reply, JJJ. I’m not a developer, so when I go to trac I’m easily overwhelmed by the number of tickets and not sure where to look for specifics.
Sometimes it’s frustrating for users like me to get information about bbPress developments. I’d expect news to be posted here on the forum. Then there’s bbpdevel.wordpress.com, but that hasn’t been updated since September. I’m sure there’s info in IRC logs too. It seems there are many places for information to be posted, and it’s not always the place I expect it.
Anyway, I really do appreciate the information, and I’m looking forward to 1.1 (and also an update to the 0.9 branch).
Speaking of security, anyone using bb-attachments should please update to 0.2.8
(you’ll only need to update
bb-attachments-init.php
)Speaking of security, anyone using bb-attachments should please update to 0.2.8
(you’ll only need to update
bb-attachments-init.php
)CK, I think it would be best to create a new topic also and sticky it!
CK, I think it would be best to create a new topic also and sticky it!
@Ashfame, the bug is not really a showstopper and I am researching another possible issue.
I need to update “check-for-updates” though.
@Ashfame, the bug is not really a showstopper and I am researching another possible issue.
I need to update “check-for-updates” though.
Alright! Your call.
Alright! Your call.
They just announced it to the world this morning so I hope the 1.x users have upgraded to 1.0.3
http://seclists.org/fulldisclosure/2011/Mar/155
I suspect it was not enough time but there never is.
Note that my “block-long-queries” mini-plugin will protect you from this kind of attack and other yet unknown ones via the URL (GET requests)
https://bbpress.org/forums/topic/bbpress-103-released#post-84690
It will work in both bbPress and WordPress
There is really no reason to allow URIs to be longer than 255 characters but apache will allow up to 4000 by default which can carry a massive payload. I have seen some wordpress installs that need that limit bumped up to 320 or even 512, something about the akismet plugin needs very long URIs for some bad reason.
They just announced it to the world this morning so I hope the 1.x users have upgraded to 1.0.3
http://seclists.org/fulldisclosure/2011/Mar/155
I suspect it was not enough time but there never is.
Note that my “block-long-queries” mini-plugin will protect you from this kind of attack and other yet unknown ones via the URL (GET requests)
https://bbpress.org/forums/topic/bbpress-103-released#post-84690
It will work in both bbPress and WordPress
There is really no reason to allow URIs to be longer than 255 characters but apache will allow up to 4000 by default which can carry a massive payload. I have seen some wordpress installs that need that limit bumped up to 320 or even 512, something about the akismet plugin needs very long URIs for some bad reason.
@_ck_ Can you take a look at the Trac for 1.3
There was some talk that 1.0.3 was copied from the 1.0 branch and may not have all the fixes that were in the trunk. Unfortunately, I am not experienced with source control software so can’t make much sense out of it.
@_ck_ Can you take a look at the Trac for 1.3
There was some talk that 1.0.3 was copied from the 1.0 branch and may not have all the fixes that were in the trunk. Unfortunately, I am not experienced with source control software so can’t make much sense out of it.
Trac unfortunately doesn’t disclose where the tag was created from, the only documentation is the comment JJJ made.
https://trac.bbpress.org/changeset/2930
However it’s easy to test.
Checkout a copy from the trunk, then do a “switch” to tag/1.0.3 and see what files (if any are changed).
The SVN itself may disclose more details but let’s see what happens…
ah no, I forgot the trunk is actually 1.1
Yeah 1.0.3 is a branch from 1.0.2, not the trunk.
If a fix wasn’t committed to the 1.0 branch, it won’t be in 1.0.3
But you can always use the trunk for 1.1 preview
Trac unfortunately doesn’t disclose where the tag was created from, the only documentation is the comment JJJ made.
https://trac.bbpress.org/changeset/2930
However it’s easy to test.
Checkout a copy from the trunk, then do a “switch” to tag/1.0.3 and see what files (if any are changed).
The SVN itself may disclose more details but let’s see what happens…
ah no, I forgot the trunk is actually 1.1
Yeah 1.0.3 is a branch from 1.0.2, not the trunk.
If a fix wasn’t committed to the 1.0 branch, it won’t be in 1.0.3
But you can always use the trunk for 1.1 preview
Thanks for the tip!
Do you mean that 1.0.3 only contains the security fix applied on 1.0.2?
Thanks for the tip!
Do you mean that 1.0.3 only contains the security fix applied on 1.0.2?
Correct. 1.0.3 contains several security fixes to the existing 1.0 branch of code, which means no new major features or changes happened and it includes fixes to existing bugs.
1.1 will see a release candidate soon.
There was no announcement for 1.0.3 because when I tagged it, it required a new tag of BackPress and BuddyPress needed to be changed too. With 1.1 and the plugin coming soon, it just never got an official announcement.
On a more personal note, my resources and bandwidth are spread between several projects at the moment, so switching contexts quickly is something I’m adjusting more to. An announcement about 1.0.3 will happen when an RC for 1.1 goes out, which should be in the next few days.
Correct. 1.0.3 contains several security fixes to the existing 1.0 branch of code, which means no new major features or changes happened and it includes fixes to existing bugs.
1.1 will see a release candidate soon.
There was no announcement for 1.0.3 because when I tagged it, it required a new tag of BackPress and BuddyPress needed to be changed too. With 1.1 and the plugin coming soon, it just never got an official announcement.
On a more personal note, my resources and bandwidth are spread between several projects at the moment, so switching contexts quickly is something I’m adjusting more to. An announcement about 1.0.3 will happen when an RC for 1.1 goes out, which should be in the next few days.
- The topic ‘Security Bug Report Contact’ is closed to new replies.