CVE-2017-5223, CVE-2018-19296 and CVE-2020-36326:
- Queries
- All Stories
- Search
- Advanced Search
- Transactions
- Transaction Logs
Advanced Search
Mar 17 2024
Mar 15 2024
CVE-2021-34551:
This one requires passing user-provided input as a filename to the "setLanguage" method; We don't call that method.
First pass, these one do not apply to us (and some of them do not apply to anyone at all):
Nov 13 2023
(I also cannot see T15665)
Nov 12 2023
Nov 11 2023
Nov 10 2023
Note that I cannot see Task T15663
I'm not able to find #conduit in Matrix mozilla.org homeserver btw
(It needs to be quoted just in we.phorge.it since indeed we have a Tag called Conduit :D Sorry for that)
@valerio.bozzolan If you didn't get an answer, try asking in #conduit. I didn't realize that # needs to be quoted in Remarkup. 😢
Nice! Thanks
It would be great if Mozilla's team could join forces with Phorge. Would you (the core team) contact them in #conduit on chat.mozilla.org and mozilla.slack.com?
I have reviewed it and made some comments. On a remotely related topic, TLS handshakes are expensive and persistent connections can reduce latency and server load by reusing TLS connections, so maybe we should make it configurable outside of cluster.databases as well.
I wonder if they are aware that Phorge exists and that we are open to contributions :)
Nov 7 2023
Jul 22 2023
I have this working now in https://we.phorge.it/D25276. I still have it marked as draft because there are some outstanding things that should be decided/addressed
- Whether client certificate should be configurable. Ideally this is something that would be configured in the php.ini rather than directly in phorge but at the moment I don't think it can be.
- Updating documentation to specify how to set up TLS/SSL. For database configurations there's now a use-tls flag which will require connecting to the database using TLS. Turning on TLS/SSL on the database we can probably provide pointers but it's left to the reader for determining that based on their database.
- Database clusters with master & replicas? I don't know how to set this up. Those changes might affect cluster dbs but I'm unsure and it's untested.
Jul 20 2023
Jul 19 2023
I picked this up again recently. I’m stuck on getting mariadb valid certificates it uses for connections, for testing my Phorge changes.
Jun 22 2023
Jun 17 2023
A bit about Security
Jun 16 2023
Jun 12 2023
Jun 7 2023
It turns out that this is a duplicate:
T15443: Add Diffusion policy capability "Can Edit and View Identities"
But, they identities probably should be editable only for:
- people who can edit the repository (people who administer it)
- you, if the email matches yours (since you somehow pushed in the repository)
Uh thanks. Interesting. Yeah probably with considerations under Security probably.
Jun 3 2023
Taking a stab at what it would look like in D25276: Add support for secure connections to the database. It's not tested at all yet but I think that's roughly the shape it would take. I haven't looked into how this would affect cluster environments but I think that is covered.
Yes. The trade off would be user experience. I have absolutely spent 15+ minutes waiting for a reset email on sites after having either typo’d or put in a different email address from the one I signed up with.
If I've understood correctly,
In T15091#9775, @RhinosF1 wrote:Can this be made public?
Can this be made public?
It's 2023, I think "not supporting TLS" should count as "high pri bug" now.
Closing for now as "we're ok with this", and there was no interaction on this ticket for a while.
May 9 2023
Apr 6 2023
We need a NO PULL REQUESTS! script. It reminds me in the old days people who says this in Phabricator in pull requests:
(By the way let's understand if this user has a local commit published somewhere) - thanks @Labricator for sharing this info
If you don't like Arcanist, feel free to just do a pull request on GitHub and we will convert that to an Arcanist patch.
In T15045#1474, @Labricator wrote:I’d definitely try, but it depends if we are using GitHub or command line git.
Merging T15102 here; cc @marting, @valerio.bozzolan.
Oct 30 2022
Oct 9 2022
Oct 7 2022
Jul 1 2022
@avivey has fixed this on the upstream install.
Apr 24 2022
In T15090#2141, @avivey wrote:In T15090#2123, @Matthew wrote:@avivey Would it make sense to add a public announcement to Diviner or Phiction? Or perhaps we use Phame for this use case (Create a "Security Incidents" blog)? I always think of a task as an actionable item, whereas we would want this to exist forever.
Yes, probably. "Announcements"-style thing
Apr 19 2022
Apr 18 2022
In T15090#2123, @Matthew wrote:
That's intentional (upstream) because it's very hard to make any actual attack with this information can't be made without it.
Apr 17 2022
Note: reporter exploited without permission
Apr 16 2022
In T15090#2127, @Matthew wrote:In T15090#2126, @golyalpha wrote:apparently, Ubuntu maintainers have backported a patch for the older version of git in 20.04 LTS, downgrading to version 1:2.25.1-1ubuntu3 seems to be a temporary workaround, losing the following patches:
I don't think having people downgrade is a good idea. I think we should probably cherry-pick Evan's fix from upstream into the phorge codebase.
Apr 15 2022
In T15090#2126, @golyalpha wrote:apparently, Ubuntu maintainers have backported a patch for the older version of git in 20.04 LTS, downgrading to version 1:2.25.1-1ubuntu3 seems to be a temporary workaround, losing the following patches:
ahh, I was wondering why my Phorge install suddenly broke - seems to be the case here too
Apr 14 2022
We need to cherry-pick and import the changes Evan made into the Phorge repository as well...
Apr 13 2022
err, I was trying to put it out as a Security PSA, so I clicked "Create security task" which I guess is the opposite of a PSA...
Nov 28 2021
Nov 25 2021
In T15045#1613, @goddenrich wrote:Is there an update on this? we would love to see this feature soon
Is there an update on this? we would love to see this feature soon
Oct 25 2021
I would use arc diff
I’d definitely try, but it depends if we are using GitHub or command line git.
@Labricator Could you propose and submit a revision?
Oct 24 2021
Any progress on this? Consensus?
Sep 4 2021
I'll try to look into feasibility of this later this week. Presumably it shouldn't be too difficult, adding a few configs to point to the certificate files and updating the DAO (I think is named Lisk?).