REL: Release version 2.1.1 fixing a critical security issue

certtools · Apr 27, 2020 · 7595e41 · 7595e41
1 parent 62d81e5
commit 7595e41
Show file tree

Hide file tree

Showing 4 changed files with 22 additions and 20 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,35 +2,28 @@ CHANGELOG
 =========
 
 
-2.1.1 (unreleased)
+2.1.1 (2020-04-27)
 ------------------
 Bernhard Herzog (Intevation) discovered that the backend incorrectly handled messages given by user-input in the "send" functionality of the Inspect-tool of the Monitor component. An attacker with access to the IntelMQ Manager could possibly use this issue to execute arbitrary code with the privileges of the webserver.
 
 ### Backend
-- Fix mispelling of the environmental variable `INTELMQ_MANGER_CONTROLLER_CMD` to `INTELMQ_MANAGER_CONTROLLER_CMD` (an 'a' was missing).
+- Fix misspelling of the environmental variable `INTELMQ_MANGER_CONTROLLER_CMD` to `INTELMQ_MANAGER_CONTROLLER_CMD` (an 'a' was missing).
 - Fix handling of POST variable `msg` of the message-sending functionality available in the Inspect-tool.
 
 ### Pages
-
-#### Landing page
-
-#### Configuration
-
-#### Management
-
 #### Monitor
 - Fix running commands with the "inspect" widget by fixing the definition of the `CONTROLLER_CMD` in the template (PR #194).
 
-#### Check
-
 ### Documentation
 - Update supported operating systems in Installation documentation (i.a. PR #191).
 
-### Third-party libraries
-
-### Packaging
-
 ### Known issues
+* Missing CSRF protection (#111).
+* Graph jumps around on "Add edge" (#148).
+* wrong error message for new bots with existing ID (#152).
+* `ALLOWED_PATH=` violates CSP (#183).
+* Monitor page: Automatic log refresh reset log page to first one (#190).
+
 
 2.1.0 (2019-10-15)
 ------------------

diff --git a/NEWS.md b/NEWS.md
@@ -3,16 +3,18 @@ NEWS
 
 See the changelog for a full list of changes.
 
-2.1.1 (unreleased)
+2.1.1 (2020-04-27)
 ------------------
-**Never ever run intelmq-manager on a public webserver without SSL and proper authentication**.
 
-Bernhard Herzog (Intevation) discovered that the backend incorrectly handled messages given by user-input in the "send" functionality of the Inspect-tool of the Monitor component. An attacker with access to the IntelMQ Manager could possibly use this issue to execute arbitrary code with the privileges of the webserver.
+### Security
+* **Never ever run intelmq-manager on a public webserver without SSL and proper authentication**.
+* Bernhard Herzog (Intevation) discovered that the backend incorrectly handled messages given by user-input in the "send" functionality of the Inspect-tool of the Monitor component. An attacker with access to the IntelMQ Manager could possibly use this issue to execute arbitrary code with the privileges of the webserver.
+* Use IntelMQ Manager only from a browser that can only access internal, trusted sites. (Because CSRF development is under way, see [#111](github.com/certtools/intelmq/issues/111)).
 
+### Configuration
 The environment variable name was corrected from `INTELMQ_MANGER_CONTROLLER_CMD` to `INTELMQ_MANGAER_CONTROLLER_CMD` you might need to adapt your configuration.
 The old name will be available until version 3.0.
 
-Use IntelMQ Manager only from a browser that can only access internal, trusted sites. (Because CSRF development is under way, see [#111](github.com/certtools/intelmq/issues/111)).
 
 2.1.0 (2019-10-15)
 ------------------

diff --git a/debian/changelog b/debian/changelog
@@ -1,3 +1,10 @@
+intelmq-manager (2.1.1-1) stable; urgency=critical
+
+  * Update to version 2.1.1.
+   * Bernhard Herzog (Intevation) discovered that the backend incorrectly handled messages given by user-input in the "send" functionality of the Inspect-tool of the Monitor component. An attacker with access to the IntelMQ Manager could possibly use this issue to execute arbitrary code with the privileges of the webserver.
+
+ -- Sebastian Wagner <[email protected]>  Mon, 27 Apr 2020 21:02:23 +0200
+
 intelmq-manager (2.1.0-1) stable; urgency=medium
 
   * Update to version 2.1.0

diff --git a/intelmq-manager/php/config.php b/intelmq-manager/php/config.php
@@ -24,7 +24,7 @@
 
     $BOT_CONFIGS_REJECT_REGEX = '/[^[:print:]\n\r\t]/';
     $BOT_ID_REJECT_REGEX = '/[^A-Za-z0-9.-]/';
-    $VERSION = "2.1.1a1";
+    $VERSION = "2.1.1";
 
     $ALLOWED_PATH = "/opt/intelmq/var/lib/bots/"; // PHP is allowed to fetch the config files from the current location in order to display bot configurations.
     $FILESIZE_THRESHOLD = 2000; // config files under this size gets loaded automatically; otherwise a link is generated