Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 27 Jun 2018 11:40:47 +0200
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Cc: oss-security-list@...tactdaniel.net
Subject: Re: rclone data exflitration / unauthorized API use

Hi Daniel,

On Tue, Jun 26, 2018 at 05:56:18PM -0700, oss-security-list@...tactdaniel.net wrote:
> Due to it's reliance on vulnerable upstream vendor SDKs & APIs, all 
> current versions of 'rclone' are subject to a variety of attacks.
> 
> This vulnerability is an instance of a class of security vulnerabilities 
> that affect a wide variety of software. Any API which has clients 
> perform actions on arbitrary URLs chosen by the API server will lead to 
> this class of attack becoming a concern.
> 
> Current Google Cloud Storage SDKs/APIs, Backblaze B2 APIs, and Yandex 
> Disk APIs are affected.
> 
> No CVE is presently assigned.
> 
> Further details at: 
> https://www.danieldent.com/blog/restless-vulnerability-non-browser-cross-domain-http-request-attacks/

We have a policy here that while list postings may refer to external
URLs, they must be complete on their own, and yours is not.  Please see:

http://oss-security.openwall.org/wiki/mailing-lists/oss-security#list-content-guidelines

I'm attaching a text export of your blog post to this message.  Next
time, please do something like this on your own.

Thanks,

Alexander

View attachment "restless-vuln.txt" of type "text/plain" (5799 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ