"I guess there is no production use of Meteor yet - so its ok to post [this security issue] here? "
171 views
Skip to first unread message
Tim Haines
Mar 12, 2013, 8:12:19 PM3/12/13
to meteo...@googlegroups.com
Hi,
This github issue is a little frightening: "Minor Security hole - I guess there is no production use of Meteor yet - so its ok to post it here?"
I think there probably are many production uses already, and there will soon be many more, us amongst them. Regardless the validity of this issue or not, it will always be much better if security issues and concerns are reported privately. It could be said that it's common sense, and jan-glx should have emailed it to Meteor DG. To help with awareness, I'm wondering if a procedure for reporting security concerns could be documented somewhere (perhaps in the readme)?
Tim.
Nick Martin
Mar 12, 2013, 8:57:32 PM3/12/13
to meteo...@googlegroups.com
Good idea. I've made a new mailing list 'secu...@meteor.com' and will add instructions to send mail there for security issues to the Contributing.md file (and possibly other places to increase visibility).
We'll also be addressing the reported issue and including a fix in the upcoming release.
Thanks,
-- Nick
Tim.--
You received this message because you are subscribed to the Google Groups "meteor-core" group.
To unsubscribe from this group and stop receiving emails from it, send an email to meteor-core...@googlegroups.com.
To post to this group, send email to meteo...@googlegroups.com.
Visit this group at http://groups.google.com/group/meteor-core?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
Geoff Schmidt
Mar 13, 2013, 1:41:34 AM3/13/13
to meteo...@googlegroups.com
Everyone, if in the future you see potentially sensitive issues that have been filed on GitHub, please email the issue number to secu...@meteor.com. This will go to the MDG pager rotation and we will blank out the GitHub issue and contact the reporter privately.
matt debergalis
Mar 13, 2013, 6:30:39 PM3/13/13
to meteo...@googlegroups.com
0.5.8 is now out, with the fix. (Rumors of 0.5.9 were premature; we
were able to add the allow/deny fix to the already-planned 0.5.8
release.) As I mentioned in the announcement, we recommend that all
production sites update to 0.5.8, or pull the changes in from
v0.5.7.1. We'll post more information about the fix in a few days on
meteor-talk, to give our production users a chance to update.
Even without the allow/deny changes, 0.5.8 was a big release. Thanks
to everyone who helped with patches and feedback.
were able to add the allow/deny fix to the already-planned 0.5.8
release.) As I mentioned in the announcement, we recommend that all
production sites update to 0.5.8, or pull the changes in from
v0.5.7.1. We'll post more information about the fix in a few days on
meteor-talk, to give our production users a chance to update.
Even without the allow/deny changes, 0.5.8 was a big release. Thanks
to everyone who helped with patches and feedback.
David Glasser
Mar 13, 2013, 6:52:51 PM3/13/13
to meteo...@googlegroups.com
And just to be explicit: "meteor update" will get you 0.5.8. If you want to run "v0.5.7.1", which is 0.5.7 plus the update/remove fix, you'll have to check the tag of that name out of our git repo. (With the forthcoming engine branch, it'll be much easier for us to provide releases like 0.5.7.1 to you.)
Reply all
Reply to author
Forward
0 new messages