dhis2-devs team mailing list archive

Thread
Date

Re: [Dhis2-users] security issue - upgrade action required for 2.28 and older versions

To: lars@xxxxxxxxx
From: tuzo engelbert <tuzoengelbert@xxxxxxxxx>
Date: Thu, 15 Nov 2018 15:09:26 +0300
Cc: DHIS 2 Users list <dhis2-users@xxxxxxxxxxxxxxxxxxx>, dhis2-system-administrators@xxxxxxxxxxxxxxxx, security@xxxxxxxxx, DHIS 2 Developers list <dhis2-devs@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <CAD_DPKwAR_6=TOMfvEt3xx-oGfWrrc14wp5cX6k529va91dqHg@mail.gmail.com>

Noted with thanks

On Thu, Nov 15, 2018 at 3:06 PM Lars Helge Øverland <lars@xxxxxxxxx> wrote:

> Hi all,
>
> a potential serious security issue has been discovered with one of the
> libraries used by DHIS 2. The issue can potentially allow attackers to
> write or copy files to disk in arbitrary locations. The attacker needs to
> be logged in to DHIS 2 (authenticated) to do this.
>
> The affected versions are *DHIS 2.28 and older*.
>
> We have patched the following versions: 2.25, 2.26, 2.27, 2.28.
>
> We recommend that you upgrade to the latest build of the mentioned
> releases if you are affected. We won't disclose more info about this issue
> on the public mailing list.
>
>
> best,
>
> Lars
>
>
> --
>
> Lars Helge Øverland
> Technical lead, DHIS 2
> University of Oslo
> lars@xxxxxxxxx
> https://www.dhis2.org
>
> _______________________________________________
> Mailing list: https://launchpad.net/~dhis2-users
> Post to     : dhis2-users@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~dhis2-users
> More help   : https://help.launchpad.net/ListHelp
>

References

security issue - upgrade action required for 2.28 and older versions
From: Lars Helge Øverland, 2018-11-15