| [05:35:47] | * symbioquine[m] has quit (Ping timeout: 260 seconds) |
| [05:36:31] | * symbioquine[m] has joined #farmos |
| [13:37:29] | <mstenta[m]> | FYI all a security release for Drupal core just came out: https://www.drupal.org/sa-core-2021-002 |
| [13:37:45] | <calbasi_matrix> | Thanks! |
| [13:38:10] | <mstenta[m]> | I committed it to the repo: https://github.com/farmOS/farmOS/commit/5a61d5e07216b5553729daf68ac6c942... |
| [13:38:33] | <mstenta[m]> | A new dev snapshot will be available soon here: https://www.drupal.org/project/farm/releases/7.x-1.x-dev (wait for the "Last updated" to update on that page) |
| [13:38:41] | <mstenta[m]> | All Farmier-hosted instances are updated already |
| [13:39:12] | <mstenta[m]> | For what it's worth, this fixes a theoretical XSS vulnerability - so in practice it probably isn't a huge risk for most people |
| [13:39:30] | <mstenta[m]> | Because that would require someone with a farmOS role to target another user in the same system |
| [13:40:08] | <mstenta[m]> | So if you gave access to your farmOS to someone you don't trust, who knows how to exploit XSS vulns, maybe update... or just block them ;-) |
| [13:40:29] | <symbioquine[m]> | > "Not all sites and users are affected, but configuration changes to prevent the exploit might be impractical and will vary between sites. Therefore, we recommend all sites update to this release as soon as possible." |
| [13:40:30] | <symbioquine[m]> | I don't see where they describe those configuration changes... Is there a different page with more of the actual technical details of the exploit? |
| [13:40:52] | <mstenta[m]> | They often don't go into much detail on HOW to exploit it in these security advisories |
| [13:41:18] | <mstenta[m]> | I think because they want people to update before the bad guys figure it out :-) |
| [13:41:53] | <mstenta[m]> | It's entirely possible that this doesn't affect farmOS at all� |
| [14:04:32] | <symbioquine[m]> | Based on https://git.drupalcode.org/project/drupal/-/commit/9c8d2ca3a625879910a46... I'd have to guess it's either something to do with tag attributes that start with a "-" (minus) or maybe some case where long tag attributes sometimes get interpreted as multiple attributes - meaning something like an onclick could be embedded in the just right place. |
| [14:04:47] | <symbioquine[m]> | That said there's also https://git.drupalcode.org/project/drupal/-/commit/16410c623a88fefa94b83... |