security issue - upgrade action required for 2.28 and older versions

11 views
Skip to first unread message

Lars Helge Øverland

unread,
Nov 15, 2018, 7:05:33 AM11/15/18
to DHIS 2 Developers list, DHIS 2 Users list, secu...@dhis2.org, dhis2-system-...@googlegroups.com
Hi all,

a potential serious security issue has been discovered with one of the libraries used by DHIS 2. The issue can potentially allow attackers to write or copy files to disk in arbitrary locations. The attacker needs to be logged in to DHIS 2 (authenticated) to do this.

The affected versions are DHIS 2.28 and older.

We have patched the following versions: 2.25, 2.26, 2.27, 2.28.

We recommend that you upgrade to the latest build of the mentioned releases if you are affected. We won't disclose more info about this issue on the public mailing list.


best,

Lars


--

Lars Helge Øverland
Technical lead, DHIS 2
University of Oslo

tuzo engelbert

unread,
Nov 15, 2018, 7:10:04 AM11/15/18
to la...@dhis2.org, DHIS 2 Developers list, DHIS 2 Users list, secu...@dhis2.org, dhis2-system-...@googlegroups.com
Noted with thanks

_______________________________________________
Mailing list: https://launchpad.net/~dhis2-users
Post to     : dhis2...@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-users
More help   : https://help.launchpad.net/ListHelp

Renier Rousseau

unread,
Nov 15, 2018, 7:22:41 AM11/15/18
to tuzoen...@gmail.com, la...@dhis2.org, dhis2...@lists.launchpad.net, dhis2...@lists.launchpad.net, secu...@dhis2.org, dhis2-system-...@googlegroups.com
Another one

--
You received this message because you are subscribed to the Google Groups "DHIS2 system administrators" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dhis2-system-admini...@googlegroups.com.
To post to this group, send email to dhis2-system-...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/dhis2-system-administrators/CANpJrsxRA7Xf0fvV5U700KOYZTWRooFwarSK4aeLGhfD_-XiqQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

This message and any attachments are subject to a disclaimer published at http://www.hisp.org/policies.html#comms_disclaimer.  Please read the disclaimer before opening any attachment or taking any other action in terms of this electronic transmission.  If you cannot access the disclaimer, kindly send an email to discl...@hisp.org and a copy will be provided to you. By replying to this e-mail or opening any attachment you agree to be bound by the provisions of the disclaimer.

Reply all
Reply to author
Forward
0 new messages