[Enswitch-announce] Important security update for Enswitch 3.12 and trunk
Alistair Cunningham
acunningham at integrics.com
Mon Sep 8 08:54:25 UTC 2014
This bug was in get_feature_name() in lib/API/Features.pm, where $stype
was read from users, then used in an SQL statement without further
validation. This could have been used in an SQL injection attack. We
apologise for this bug. It has been fixed by validating the variable
before use.
On 01/09/14 10:41, Alistair Cunningham wrote:
> All,
>
> A security bug has been found in Enswitch 3.12 (the current testing
> version) and trunk. A fix has been produced and committed to subversion.
> Anyone running these versions is advised to upgrade to the latest fixes
> as soon as possible by doing the following as root on each machine:
>
> cd /opt/enswitch/current
> svn up
> enswitch restart
>
> 3.11 (the current stable version) and older versions are not affected,
> and no action is required for them.
>
> More details will be provided in a few days once everyone has had a
> chance to upgrade.
>
--
Alistair Cunningham
+1 888 468 3111
+44 20 799 39 799
http://integrics.com/
More information about the Enswitch-announce
mailing list