Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 27 Jun 2018 11:40:47 +0200
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Cc: oss-security-list@...tactdaniel.net
Subject: Re: rclone data exflitration / unauthorized API use

Hi Daniel,

On Tue, Jun 26, 2018 at 05:56:18PM -0700, oss-security-list@...tactdaniel.net wrote:
> Due to it's reliance on vulnerable upstream vendor SDKs & APIs, all 
> current versions of 'rclone' are subject to a variety of attacks.
> 
> This vulnerability is an instance of a class of security vulnerabilities 
> that affect a wide variety of software. Any API which has clients 
> perform actions on arbitrary URLs chosen by the API server will lead to 
> this class of attack becoming a concern.
> 
> Current Google Cloud Storage SDKs/APIs, Backblaze B2 APIs, and Yandex 
> Disk APIs are affected.
> 
> No CVE is presently assigned.
> 
> Further details at: 
> https://www.danieldent.com/blog/restless-vulnerability-non-browser-cross-domain-http-request-attacks/

We have a policy here that while list postings may refer to external
URLs, they must be complete on their own, and yours is not.  Please see:

http://oss-security.openwall.org/wiki/mailing-lists/oss-security#list-content-guidelines

I'm attaching a text export of your blog post to this message.  Next
time, please do something like this on your own.

Thanks,

Alexander

View attachment "restless-vuln.txt" of type "text/plain" (5799 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.