Page MenuHomePhorge

SecurityTag
ActivePublic

Details

Description
WARNING: Adding objects to this space does not restrict their view policies!

Security-related issues are stored here.

Recent Activity

Sun, Mar 17

avivey updated the task description for T15758: Monitor PHPMailer security.
Sun, Mar 17, 08:56 · Security

Fri, Mar 15

avivey updated the task description for T15758: Monitor PHPMailer security.
Fri, Mar 15, 19:30 · Security
avivey added a comment to T15758: Monitor PHPMailer security.

CVE-2017-5223, CVE-2018-19296 and CVE-2020-36326:

Fri, Mar 15, 19:30 · Security
avivey added a comment to T15758: Monitor PHPMailer security.

CVE-2021-34551:
This one requires passing user-provided input as a filename to the "setLanguage" method; We don't call that method.

Fri, Mar 15, 19:15 · Security
avivey updated the task description for T15758: Monitor PHPMailer security.
Fri, Mar 15, 19:00 · Security
avivey added a comment to T15758: Monitor PHPMailer security.

First pass, these one do not apply to us (and some of them do not apply to anyone at all):

Fri, Mar 15, 18:56 · Security
avivey triaged T15758: Monitor PHPMailer security as Normal priority.
Fri, Mar 15, 18:44 · Security

Nov 13 2023

valerio.bozzolan added a comment to Q83: Pull security fixes from Mozilla's fork.

(I also cannot see T15665)

Nov 13 2023, 15:06 · Security, Phorge

Nov 12 2023

l2dy updated the question details for Q83: Pull security fixes from Mozilla's fork.
Nov 12 2023, 15:42 · Security, Phorge

Nov 11 2023

l2dy updated the question details for Q83: Pull security fixes from Mozilla's fork.
Nov 11 2023, 08:41 · Security, Phorge
l2dy updated the question details for Q83: Pull security fixes from Mozilla's fork.
Nov 11 2023, 08:13 · Security, Phorge

Nov 10 2023

valerio.bozzolan added a comment to Q83: Pull security fixes from Mozilla's fork.

Note that I cannot see Task T15663

Nov 10 2023, 16:45 · Security, Phorge
l2dy changed the visibility for Q83: Pull security fixes from Mozilla's fork.
Nov 10 2023, 16:40 · Security, Phorge
valerio.bozzolan added a comment to Q83: Pull security fixes from Mozilla's fork.

I'm not able to find #conduit in Matrix mozilla.org homeserver btw

Nov 10 2023, 16:11 · Security, Phorge
valerio.bozzolan added a comment to Q83: Pull security fixes from Mozilla's fork.

(It needs to be quoted just in we.phorge.it since indeed we have a Tag called Conduit :D Sorry for that)

Nov 10 2023, 16:10 · Security, Phorge
l2dy updated the question details for Q83: Pull security fixes from Mozilla's fork.
Nov 10 2023, 16:08 · Security, Phorge
l2dy added a comment to Q83: Pull security fixes from Mozilla's fork.

@valerio.bozzolan If you didn't get an answer, try asking in #conduit. I didn't realize that # needs to be quoted in Remarkup. 😢

Nov 10 2023, 16:05 · Security, Phorge
valerio.bozzolan added a comment to Q83: Pull security fixes from Mozilla's fork.

Nice! Thanks

Nov 10 2023, 15:48 · Security, Phorge
l2dy added a comment to Q83: Pull security fixes from Mozilla's fork.

It would be great if Mozilla's team could join forces with Phorge. Would you (the core team) contact them in #conduit on chat.mozilla.org and mozilla.slack.com?

Nov 10 2023, 15:39 · Security, Phorge
l2dy updated the question details for Q83: Pull security fixes from Mozilla's fork.
Nov 10 2023, 13:39 · Security, Phorge
l2dy added a comment to T15045: Support SSL/TLS for MariaDB connections.

I have reviewed it and made some comments. On a remotely related topic, TLS handshakes are expensive and persistent connections can reduce latency and server load by reusing TLS connections, so maybe we should make it configurable outside of cluster.databases as well.

Nov 10 2023, 13:07 · Security
valerio.bozzolan added a comment to Q83: Pull security fixes from Mozilla's fork.

I wonder if they are aware that Phorge exists and that we are open to contributions :)

Nov 10 2023, 13:05 · Security, Phorge

Nov 7 2023

valerio.bozzolan added a project to Q83: Pull security fixes from Mozilla's fork: Security.
Nov 7 2023, 09:46 · Security, Phorge

Jul 22 2023

speck added a comment to T15045: Support SSL/TLS for MariaDB connections.

I have this working now in https://we.phorge.it/D25276. I still have it marked as draft because there are some outstanding things that should be decided/addressed

  1. Whether client certificate should be configurable. Ideally this is something that would be configured in the php.ini rather than directly in phorge but at the moment I don't think it can be.
  2. Updating documentation to specify how to set up TLS/SSL. For database configurations there's now a use-tls flag which will require connecting to the database using TLS. Turning on TLS/SSL on the database we can probably provide pointers but it's left to the reader for determining that based on their database.
  3. Database clusters with master & replicas? I don't know how to set this up. Those changes might affect cluster dbs but I'm unsure and it's untested.
Jul 22 2023, 04:11 · Security

Jul 20 2023

RhinosF1 changed the edit policy for T15563: Test.
Jul 20 2023, 17:18 · Security
RhinosF1 changed the visibility for T15563: Test.
Jul 20 2023, 17:18 · Security
RhinosF1 closed T15563: Test as Invalid.

Worked

Jul 20 2023, 17:18 · Security
RhinosF1 created T15563: Test.
Jul 20 2023, 17:17 · Security

Jul 19 2023

speck added a comment to T15045: Support SSL/TLS for MariaDB connections.

I picked this up again recently. I’m stuck on getting mariadb valid certificates it uses for connections, for testing my Phorge changes.

Jul 19 2023, 11:43 · Security
avivey updated the task description for T15045: Support SSL/TLS for MariaDB connections.
Jul 19 2023, 05:58 · Security

Jun 22 2023

valerio.bozzolan moved T15490: Uninstalling/Installing an application should eventually involve MFA from Backlog to Code Sprint Candidate on the User-valerio.bozzolan board.
Jun 22 2023, 15:13 · User-valerio.bozzolan, Security
valerio.bozzolan created T15490: Uninstalling/Installing an application should eventually involve MFA.
Jun 22 2023, 15:13 · User-valerio.bozzolan, Security

Jun 17 2023

valerio.bozzolan added a project to T15455: Register New Account: unsafe password check not working correctly?: Security.

A bit about Security

Jun 17 2023, 15:20 · Security

Jun 16 2023

valerio.bozzolan added a revision to T15045: Support SSL/TLS for MariaDB connections: D25276: Add support for secure connections to the database.
Jun 16 2023, 09:23 · Security

Jun 12 2023

avivey added a subtask for T15090: CVE-2022-24765 - Multi-user Git Privilege Escalation: T15282: Fix/avoid/simplify similar fatal: detected dubious ownership in repository at '/var/www/phorge'.
Jun 12 2023, 07:41 · Security

Jun 7 2023

valerio.bozzolan merged task T15451: Implement Diffusion identity reassignment access control into T15443: Add Diffusion policy capability "Can Edit and View Identities".
Jun 7 2023, 15:52 · Policy, Security, Feature Requests, Diffusion
smith closed T15451: Implement Diffusion identity reassignment access control as Invalid.

It turns out that this is a duplicate:
T15443: Add Diffusion policy capability "Can Edit and View Identities"

Jun 7 2023, 12:01 · Policy, Security, Feature Requests, Diffusion
smith added a comment to T15451: Implement Diffusion identity reassignment access control.

But, they identities probably should be editable only for:

  • people who can edit the repository (people who administer it)
  • you, if the email matches yours (since you somehow pushed in the repository)
Jun 7 2023, 10:08 · Policy, Security, Feature Requests, Diffusion
valerio.bozzolan added a project to T15451: Implement Diffusion identity reassignment access control: Policy.
Jun 7 2023, 10:04 · Policy, Security, Feature Requests, Diffusion
valerio.bozzolan added a project to T15451: Implement Diffusion identity reassignment access control: Security.

Uh thanks. Interesting. Yeah probably with considerations under Security probably.

Jun 7 2023, 10:03 · Policy, Security, Feature Requests, Diffusion

Jun 3 2023

speck added a comment to T15045: Support SSL/TLS for MariaDB connections.

Taking a stab at what it would look like in D25276: Add support for secure connections to the database. It's not tested at all yet but I think that's roughly the shape it would take. I haven't looked into how this would affect cluster environments but I think that is covered.

Jun 3 2023, 21:35 · Security
speck added a comment to T15091: Possible to find whether an email is attached to an account.

Yes. The trade off would be user experience. I have absolutely spent 15+ minutes waiting for a reset email on sites after having either typo’d or put in a different email address from the one I signed up with.

Jun 3 2023, 16:08 · People, Security
valerio.bozzolan added a comment to T15091: Possible to find whether an email is attached to an account.

If I've understood correctly,

Jun 3 2023, 10:54 · People, Security
avivey added a comment to T15091: Possible to find whether an email is attached to an account.

Can this be made public?

Jun 3 2023, 10:29 · People, Security
avivey changed the visibility for T15091: Possible to find whether an email is attached to an account.
Jun 3 2023, 10:28 · People, Security
RhinosF1 added a comment to T15091: Possible to find whether an email is attached to an account.

Can this be made public?

Jun 3 2023, 10:23 · People, Security
avivey triaged T15045: Support SSL/TLS for MariaDB connections as High priority.

It's 2023, I think "not supporting TLS" should count as "high pri bug" now.

Jun 3 2023, 08:18 · Security
avivey closed T15091: Possible to find whether an email is attached to an account as Wontfix.

Closing for now as "we're ok with this", and there was no interaction on this ticket for a while.

Jun 3 2023, 08:13 · People, Security

May 9 2023

avivey removed a project from T15090: CVE-2022-24765 - Multi-user Git Privilege Escalation: Phorge General/Unknown.
May 9 2023, 10:42 · Security

Apr 6 2023

avivey edited projects for T15091: Possible to find whether an email is attached to an account, added: People; removed People (archived).
Apr 6 2023, 11:14 · People, Security