[Intelmq-users] IntelMQ Manager 2.1.1 Security Bugfix Release
Sebastian Wagner
wagner at cert.at
Mon Apr 27 21:59:26 CEST 2020
Dear community,
The newest IntelMQ Manager release 2.1.1 fixes a critical security bug.
Please never run the IntelMQ Manager without proper authentication in place!
Installation instructions:
https://github.com/certtools/intelmq-manager/blob/2.1.1/docs/INSTALL.md
Bernhard Herzog (Intevation) discovered that the backend incorrectly
handled messages given by user-input in the "send" functionality of the
Inspect-tool of the Monitor component. An attacker with access to the
IntelMQ Manager could possibly use this issue to execute arbitrary code
with the privileges of the webserver.
Updated deb/rpm-packages are already available in the repositories.
Other changes:
### Backend
- Fix misspelling of the environmental variable
`INTELMQ_MANGER_CONTROLLER_CMD` to `INTELMQ_MANAGER_CONTROLLER_CMD` (an
'a' was missing).
- Fix handling of POST variable `msg` of the message-sending
functionality available in the Inspect-tool.
### Pages
#### Monitor
- Fix running commands with the "inspect" widget by fixing the
definition of the `CONTROLLER_CMD` in the template (PR #194).
### Documentation
- Update supported operating systems in Installation documentation (i.a.
PR #191).
### Known issues
* Missing CSRF protection (#111).
* Graph jumps around on "Add edge" (#148).
* wrong error message for new bots with existing ID (#152).
* `ALLOWED_PATH=` violates CSP (#183).
* Monitor page: Automatic log refresh reset log page to first one (#190).
--
// Sebastian Wagner <wagner at cert.at> - T: +43 1 5056416 7201
// CERT Austria - https://www.cert.at/
// Eine Initiative der nic.at GmbH - https://www.nic.at/
// Firmenbuchnummer 172568b, LG Salzburg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/intelmq-users/attachments/20200427/06181484/attachment.sig>
More information about the Intelmq-users
mailing list