Important update re. security fix in re:dash

[Arik Fraimovich]

Hi,

I've tried to contact as many of you in advance before the public announcement, so if you handled this already, you can ignore this email.

The latest release (0.6.3 and newer) includes a fix for a security issue with the way Google OAuth authentication was implemented in re:dash. If you're using Google OAuth authentication with re:dash, and your re:dash instance is open to the Internet, you should upgrade immediately.

See full details below.

Which version has the fix?

The fixed version: https://github.com/EverythingMe/redash/releases/tag/v0.6.3.b906

How to upgrade?

See details here. These instructions will work for you, if you're using version 0.5 or newer. If you have an older version, please contact me and I'll guide you on how to upgrade.

Also, if you're still using version 0.5, I suggest to turn off re:dash services before running the upgrade, as some migrations will take time and can fail if re:dash still running.

If you already have the fabric upgrade script, please make sure you have the latest version.

I can't upgrade, what should I do?

Please contact me, and I'll help you to patch your existing install.

How can I check if I had unwanted logins?

Just check the user objects in your re:dash database. You can do this with the CLI:

cd /opt/redash/current

sudo sudo -u redash bin/run ./manage.py users list

If you're using version 0.6.1 or newer, you can also check this with the web admin -- /admin/user.

And you can just check the database directly (sudo sudo -u postgres psql redash and then select name, email from users).

What was the problem?

I prefer not to disclose this information publicly at the moment, to give time for users to upgrade. If you need details, please email me directly.

I have a different question.

Just reply to this email.

Thanks and apologies for the inconvenience.

-- 

Arik Fraimovich