Security problem with YaCy dev rel. 1.67

Ereignisse, Vorschläge und Aktionen

Security problem with YaCy dev rel. 1.67

Beitragvon David » Mi Jan 01, 2014 11:20 pm

From the yacy twitter page:
because of a security problem with the current YaCy dev rel. 1.67 we ask everyone to migrate back to a dev rel. before 18.12. or stable 1.66

https://twitter.com/yacy_search

The latest stable version can be downloaded from the yacy.net front page:
http://www.yacy.net/
David
 
Beiträge: 170
Registriert: Di Mär 05, 2013 5:35 pm

Re: Security problem with YaCy dev rel. 1.67

Beitragvon reger » Do Jan 02, 2014 5:00 am

fyi:
in development release 1.67/9629 is a the first hot-fix regaring this security (proxy) issue implemented.
reger
 
Beiträge: 46
Registriert: Mi Jan 02, 2013 9:23 am

Re: Security problem with YaCy dev rel. 1.67

Beitragvon Yududi » Do Jan 02, 2014 6:11 pm

Nach dem Update auf die Version 1.67/9465 über den Debian Paketmanager bekomme ich unter Verwendung von stunnel keinen Zugriff auf meinen Peer mehr.
Mit stunnel leite ich Anfragen von Port 443 auf 8090 weiter um damit HTTPS zu ermöglichen.
Das hängt mit Sicherheit mit dem Fix zusammen.
Bildschirmfoto 2014-01-02 um 18.07.12.png
Bildschirmfoto 2014-01-02 um 18.07.12.png (116.86 KiB) 2975-mal betrachtet
Yududi
 
Beiträge: 64
Registriert: Di Dez 10, 2013 12:30 pm

Re: Security problem with YaCy dev rel. 1.67

Beitragvon Orbiter » Do Jan 02, 2014 6:51 pm

sorry for the late explanation of this bug:
during the migration from the old self-made httpd to jetty the httpd proxy was migrated as well, but the security checks had been omitted. As a first emergency-activity I twittered to migrate back, removed all the development versions including all th jetty-updates and added a first (but not sufficient) bugfix. Because my debian-deploymentserver was still in the bag where I transported it for 30c3 and the bag was not at the same place as I was at that time, it was not possible to make a debian release with a bugfix. A standard tarball was created automatically by the lulabad-release-script.

At this time, two emergency-bugfixes should work which prevent unwanted usage of the proxy. The debian version has been updated as well. The dev-release update-servers should serve these bugfixes.

I believe that the stunnel-problem is not related to the security problem, but we will try to sort this out completely.
Orbiter
 
Beiträge: 5797
Registriert: Di Jun 26, 2007 10:58 pm
Wohnort: Frankfurt am Main

Re: Security problem with YaCy dev rel. 1.67

Beitragvon Yududi » Do Jan 02, 2014 7:26 pm

I have changed back to 1.66/9294.
With this version stunnel works.
Yududi
 
Beiträge: 64
Registriert: Di Dez 10, 2013 12:30 pm

Re: Security problem with YaCy dev rel. 1.67

Beitragvon reger » Fr Jan 03, 2014 3:40 pm

Yududi hat geschrieben:Mit stunnel leite ich Anfragen von Port 443 auf 8090 weiter um damit HTTPS zu ermöglichen.


Regarding the described https forwarding issue I found 2 answers,

One: Domain names were not resolved to a local IP', what would cause this error (this was improved/fixed https://gitorious.org/yacy/rc1/commit/e6b9643fd69e18ccd479128f8682312a4e35766e)

Two: with the use of Jetty also the https implementation has changed
- https will not longer available on the Standard port (e.g. 8090) but is accessible via port 8443 (port number currently hardcoded).
reger
 
Beiträge: 46
Registriert: Mi Jan 02, 2013 9:23 am

Re: Security problem with YaCy dev rel. 1.67

Beitragvon Yududi » Fr Jan 03, 2014 4:08 pm

"One" may can help will test it with the next YaCy-Update for Debian when its included thank you.
"Two" probably won't help in that case because stunnel takes the request at Port 443 and delivers it to the standard HTTP-Port thats in that case 8090. I don't use the ssl-functionality thats build right into yacy itself.
Yududi
 
Beiträge: 64
Registriert: Di Dez 10, 2013 12:30 pm

Re: Security problem with YaCy dev rel. 1.67

Beitragvon reger » Di Jan 07, 2014 3:02 am

A Little Status update on the Proxy issue.

Status:
- transparent Proxy - should work with
    - Access restriction to the configured White list
    - the Proxy accounts are not implemented yet (Status 1.67/0978)

- same for the URL Proxy (/Proxy.html?url=...)

- the remote Proxy function has not been worked on (so won't work)
reger
 
Beiträge: 46
Registriert: Mi Jan 02, 2013 9:23 am

Re: Security problem with YaCy dev rel. 1.67

Beitragvon Yududi » Di Jan 14, 2014 11:46 pm

https forwarding works again now with the debian package thx
Yududi
 
Beiträge: 64
Registriert: Di Dez 10, 2013 12:30 pm


Zurück zu Mitmachen

Wer ist online?

Mitglieder in diesem Forum: 0 Mitglieder und 2 Gäste

cron