Security vulnerability found in Lift, upgrade now.
384 views
Skip to first unread message
Diego Medina
Mar 16, 2015, 7:15:17 AM3/16/15
to Lift
Dear community,
We were recently informed about a security vulnerability found in a Scala library we use in Lift. The Lift team quickly created a patch and we have released the following versions that include the patch:* If you are using Lift 2.5 or 2.5.1, please upgrade to 2.5.2
* For users using 2.6, upgrade to 2.6.1
* If you are using 3.0-M3, please upgrade to 3.0-M4 which is the same as M3 but with the patch
* If you are using 3.0-M3, please upgrade to 3.0-M4 which is the same as M3 but with the patch
* If you are using 3.0-SNAPSHOT you have two options, you can simply download a new snapshot which has the patch, or you can upgrade to 3.0-M5 which is all the code you find today in master plus the security fix.
We have already informed the folks at Typesafe about this issue.
We are hoping to release the details of this vulnerability this Friday, unless we are asked to give Typesafe or any other Scala project more time to apply a patch.
If you run any Lift application, please upgrade right now.
Thank you.
The Lift Team
Jonathan Ferguson
Mar 22, 2015, 7:29:15 PM3/22/15
to lif...@googlegroups.com
Is there any update on this?
I'm assuming as there was no update, that Typesafe or others have asked Liftweb to hold off on releasing information.
Thanks
Jono
Jonathan Ferguson
Mar 22, 2015, 7:59:51 PM3/22/15
to lif...@googlegroups.com
Looks like dpp blogged about it over the weekend:
Cheers
Jono
Antonio Salazar Cardozo
Mar 23, 2015, 2:53:02 PM3/23/15
to lif...@googlegroups.com
Along with this comes the recommendation that you upgrade to 2.5.3, 2.6.2, 3.0-M4-1,
or 3.0-M5-1 to get the additional security tweaks we made after the initial release.
The XXE vulnerability is fixed in 2.5.2 and 2.6.1 and friends, and could lead to private files
on the server being leaked to the client.
The other issues we fixed in 2.5.3 and 2.6.2 and friends were related to potential memory
use attacks in DOCTYPE declarations (e.g., billion laughs and its friend quadratic blowup)
from untrusted XMLs.
Thanks,
Antonio
Dave Briccetti
Mar 23, 2015, 4:31:26 PM3/23/15
to lif...@googlegroups.com
Well done, addressing these issues!
Vasya Novikov
Mar 26, 2015, 9:33:38 AM3/26/15
to lif...@googlegroups.com
Thanks for the upgrade and for letting us know!
// I've read it here http://lift.la/blog/lift_xxe_vulnerability
--
Vasya Novikov
// I've read it here http://lift.la/blog/lift_xxe_vulnerability
Vasya Novikov
Joe Barnes
Mar 26, 2015, 3:59:17 PM3/26/15
to lif...@googlegroups.com, n1m5-goo...@yandex.ru
I just noticed that we don't have any mention of these fixes on our site. What is the best way we should put it on our Latest Happenings since it is not a single version released?
Joe
Antonio Salazar Cardozo
Mar 31, 2015, 9:46:36 AM3/31/15
to lif...@googlegroups.com, n1m5-goo...@yandex.ru
I've been planning on assembling some release notes for the latest round of fixes
that accumulates the info from both sets. Will be aiming to get that done by this
weekend; I was out of town this past one so didn't get a chance.
Thanks,
Antonio
Reply all
Reply to author
Forward
0 new messages