[Opensim-dev] Opensim-dev Digest, Vol 75, Issue 5
Fred Beckhusen
fred at mitsi.com
Thu Dec 16 19:26:39 UTC 2021
If you know have a security issue, attack vector, or other
griefer-loophole report, please file a Private Mantis. It's been
confirmed these can be seen only by you and by Ubit. I've filed
several, and Ubit has been super responsive with feedback, questions,
and fixes. The Private/Public pulldown is at the bottom of the Mantis
reporting form.
Git users: How to Enable Dependabot:
https://docs.github.com/en/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/configuring-dependabot-security-updates
Outworldz Dependabot for this issue:
https://github.com/Outworldz/DreamWorld/pulls?q=is%3Apr+is%3Aclosed
I closed this Depndabot back in Feb 2021 after much offline discussion
with Ubit. We do not have a mechanism for user-uploadable changes to
the config files that this attack depends on.
To some people, the idea that DTDs are a security risk may sound more
like paranoia than good sense, but I don't believe those people are
correct. A healthy paranoia is what we need. Since log4J is running
wild in the field it's been a positive thing to shine more light on this.
Fred
More information about the Opensim-dev
mailing list