[tech] Agate server: path traversal error security advisory

Johann Galle <johann+gemini (a) qwertqwefsday.eu>

Hi everyone,

there is a security vulnerability in all Agate versions prior to 3.1.0, 
which has been discovered by Matthew Ingwersen.

It has been fixed in the new version which is available on crates.io, 
prebuilt binaries are also available: 
<https://qwertqwefsday.eu/agate/v3.1.0/> or 
<https://github.com/mbrubeck/agate/releases/tag/v3.1.0>

Percent-encoded slashes were misunderstood, possibly allowing arbitrary 
files to be accessed. This can be an issue depending on with which 
permissions and/or user you are running the server. Therefore an update is 
highly recommended.

Regards,
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Johann Galle
2021-06-08T09:20+02:00
-----BEGIN PGP SIGNATURE-----

iQJMBAEBCAA2FiEEgUUY5bKEh6t2GZ3upO/MWmF0+w8FAmC/GW0YHGpvaGFubkBx
d2VydHF3ZWZzZGF5LmV1AAoJEKTvzFphdPsPvrAQAL1fTRaLngA4/un96kxyca/b
h1d78a5lFnhiqQlSyqg7al4qin/M/WG2AUdMFNH3YitZJy+IhZhPOyRbXplFo+dU
Tf/lLkWMGSW2i+3kkbL3LqMGSzsW0CxVYKj3XmFHq0yqMenerDoK8IeL7t1CZQ0D
wol0TIwsq1NA2jBIa6IRBCW9m4vn761bav/1WJnlNbz4ViI+vMTkaoU76XnVgtFW
B0lvbyWG/z63U86e67g345pSrBNZzrGD5zeBfZ82eBt4A+RE+Zv5rZJgaV1E21xD
hgdKwqFDHM+Sm6gZovH/3e6qjNkF4A14g+EI475NJyUm/0f04v6Pf+4Rea4irQZw
lZIv6cneWIJRS8RuhbwhUrKW3eZ9no/9qtAqx2jZ2ZYlS9jWQCu3EY4YINxS6gX+
HXMQRgTlLTM5qzFwVF3vgJWbr5d0oAbWNmpfWTPEA7rngFt01H1rB+lKNUHWp/wv
GTrjMlSYDaknjz8tFzIrbqyp7bfW6owtzdkHzS/4jCFu94ck7A/nWTXgpE/rcTsJ
nqzj3V9r88RK4bPgsr7VSKcSAcxtUr087ZvXd28ySSK2HE5mJY1eLuI055aelVpJ
vDUBVpMumXsrDC4qeZN9y53g5O2rJJ5Ts5EsM7BtxUtBVRl9AWEI7egXADMnMiv1
70yb31+SJm5mVZXzDpyq
=4bXq
-----END PGP SIGNATURE-----

Link to individual message.

neil c timms <mingmengtou (a) use.startmail.com>

On Tue Jun 8, 2021 at 8:19 AM BST, Johann Galle wrote:
> Hi everyone,
>
> there is a security vulnerability in all Agate versions prior to 3.1.0,
> which has been discovered by Matthew Ingwersen.

Johann, thank you for letting us know promptly - this list is
a good way to let us know - at least for me. i r uppdated ta. Cheers
Neil

Link to individual message.

---

Previous Thread: [Tech] Oblivious Gemini? :-)

Next Thread: Reliability