[D* Security] Security Notice: Please update ASAP

25 views
Skip to first unread message

Maxwell Salzberg

unread,
Jul 2, 2012, 1:14:07 PM7/2/12
to diaspo...@googlegroups.com
Hi everyone,

Stephan Schulz, (s-f-s on Github) found a security hole in the way D* sends public messages.  I patched it shortly after he mentioned it to me a few weeks ago, and Raven24 and I have spent a good amount of hours verifying the fix and making sure it did not break federation.  I just pushed it to the master branch, so for podmins who have not received the update, please pull ASAP.

The basic issue was that public messages were verifying signatures of messages, but not actually checking that the signature matched the object's creator.   This means that a malicious pod runner could manufacture malicious messages which sent bogus posts and deletion requests.  This only affected public messages, as this check is in place for the private part of the validation phase.  This is now fixed in the master tip on diaspora/diaspora with 190fceaf5ccda14c93292a4a8eb1c24efd0c2939 .

I want to thank Stephan Schulz again about being diligent about reporting the issue, and taking the time to verify that the patch works.  I also want to thank Florian (Raven24) for spending considerable time improving the federation logger and testing the patch for me.  We lucky to have people like Stephan and Florian helping us out.

Thanks,

Maxwell

Maxwell Salzberg

unread,
Jul 2, 2012, 2:37:07 PM7/2/12
to diaspo...@googlegroups.com
Hi,

Sorry about that, I pushed some dirty local state with the patch... :?

Should be clean to update from head.  I am redeploying to Jd.com, and will confirm when my downtimeless deploy servers make the switchover.


Thanks for bearing with me, and thanks to david @diasp.org for pointing out my mistake.

-m

Maxwell Salzberg

unread,
Jul 2, 2012, 2:50:15 PM7/2/12
to diaspo...@googlegroups.com
Ok,

jd.com is back up, and the stray commits are gone.  Again, sorry about the sloppiness.  Teaches me to push before having coffee in the morning.

Please pull!

-m
Reply all
Reply to author
Forward
0 new messages