<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body>
<p>Hi all, <br>
</p>
<div class="">
<div style="margin: 0px; font-stretch: normal; line-height:
normal;" class=""><span style="font-variant-ligatures:
no-common-ligatures;" class=""><span class="">EPrints Services
was recently made aware of a small number of security
vulnerabilities within the EPrints codebase, affecting both
EPrints 3.4 and EPrints 3.3.</span></span></div>
<div style="margin: 0px; font-stretch: normal; line-height:
normal;" class=""><span style="font-variant-ligatures:
no-common-ligatures" class=""><span class="">I have created
two patch files to fix the vulnerabilities and uploaded them
to <a href="https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Ffiles.eprints.org%2F&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C90ae4d0afcf340577b6708d8d8a666c1%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497556483728997%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=uuMSMPgmuyFEhwg62ySpbmFlapOiHLGvhHuuX6%2FLP7c%3D&reserved=0" originalSrc="http://files.eprints.org/" shash="eyaIGxnJlICuxXHpZwOun37s5oFmKl8O3qcUVCPYlsNc2Tm42wKteIVBCVuff+wEcauDXSpBOnAxxFgrFKcYjPlZ7CPaico4tSUmsnMp3W1EO0LbB5lRdQ78eqEdUhM02HtVw3ipWyMGKhWRc/6oIW9RCsWxzdjnQB0mAi9oEDY=" class="">files.eprints.org</a>.</span></span></div>
</div>
<div class=""><br class="">
</div>
- EPrints 3.4.2 : <a class="moz-txt-link-freetext" href="https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffiles.eprints.org%2F2548%2F&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C90ae4d0afcf340577b6708d8d8a666c1%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497556483738994%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=7NbF%2BGZjSUKd4tCGTKkjWYIh%2BxVEUL3YV2hsG6V0nMo%3D&reserved=0" originalSrc="https://files.eprints.org/2548/" shash="TSCkmsvy3zIJlSi7DSvZ8F6a1H1wn1h9PoEFrZEuWwZBg9bVzw4RqhQrUI+nTlkLnfZnVNFOjiBJdCy5yQa3y8xU2UAkPXcHL+057NsG4cOZOzujm5sqrA8JX34ZiNOeczC50TBJ4Lob1bJMgA0mm7EZ7dYfKrmmROYUyc5argQ=">https://files.eprints.org/2548/</a>
<br>
- EPrints 3.3.x : <a class="moz-txt-link-freetext" href="https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffiles.eprints.org%2F2549%2F&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C90ae4d0afcf340577b6708d8d8a666c1%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497556483738994%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=89CFMxvLOz5UVfrZUTPtf3CnSgSXOsGipvmjgU9bQb0%3D&reserved=0" originalSrc="https://files.eprints.org/2549/" shash="vKnrgyWWwkww955nplIzZydELJhH+/Kc0yWsPuiMvrvfQwKW5IMc7K5BeLL/WmwqDVpTpmhWinVJVT4WUnAOP6wn3p2MVkYqfVGlKnPrkCWy+Z8USv+H6IBy6S59kGVxl594q2dolV70nc6sH2lsKYQkHOhVjHFZagTEpZFr8+k=">https://files.eprints.org/2549/</a>
<br>
<br>
The former fixes the EPrints 3.4.2 release and the latter fixes
EPrints 3.3 (based on the current HEAD of <a class="moz-txt-link-freetext" href="https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Feprints%2Feprints&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C90ae4d0afcf340577b6708d8d8a666c1%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497556483748989%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=HRgTHqJXYLEl6tSVn2AT%2BH630XLTTk1o6e6PyHGtlxM%3D&reserved=0" originalSrc="https://github.com/eprints/eprints" shash="a+AVw4BuvMAwJrNHs4A1pemAloBy015UnGXARCGXRV4CgDvn/JJnANDT1SPhCCoKthaERIHHek9grGRlxraPFOuc1qYpEqfFtHRUYJFhVrnrT6XBSZUvjv/Jr4mkuKj60Y4XnFwlMqHJXvkd3AwhlNCC5Z5R6687ERMuKLImF3I=">https://github.com/eprints/eprints</a>).
These links also provide instructions on how to apply the patch file
and some more details on the affected files. There are references
to the Common Vulnerabilities and Exposure (CVE) IDs but as of now
these are yet to be published. All the vulnerabilities identified
relate to either Cross-Site Scripting (XSS) or Remote Code Execution
(RCE) vulnerabilities. All of these vulnerabilities would require
analysis of the codebase to determine an exploit. It is very
unlikely that generic tools used to identify vulnerabilities would
discover these, as specific knowledge is required. <br>
<br>
I have also updated to patch these vulnerabilities on both the
eprints and eprints3.4 GitHub repositories for the eprints
organisation (<a class="moz-txt-link-freetext" href="https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Feprints&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C90ae4d0afcf340577b6708d8d8a666c1%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497556483748989%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=mT3bRtHvCvu9OpdSkUZxc5F%2B7kbrVJxKB5yWLYF5Tak%3D&reserved=0" originalSrc="https://github.com/eprints" shash="RfF/Wyk7Y220u0Q0B7YHWHNde6t6bv9f923x4X/IXZ/Q78GpDgZYWxu2s1ukUPOLH32thSIcYGtLGT0tRx4IdFRXTx8ijbUbGFv92ogEoWvfOwkaSukFbfdj0YFYeD/coISyfNOnvXvKv7YlPtyBnDegPbbDEVKolDpgl2SS2sc=">https://github.com/eprints</a>).
The next release of EPrints 3.4 (3.4.3) will have these security
fixes in place. <br>
<br>
EPrints Services customers both those who EPrints Services host and
those that self-host have either been patched or where this has not
been possible, informed of the vulnerabilities and how they can be
fixed.<br>
<br>
If you have any follow-up questions please feel free to ask.
Hopefully, the CVEs will be published shortly for those interested
in more detail. However, they were raised by a third party, who I
have only just given go-ahead to make these public. <br>
<br>
Regards <br>
<br>
David Newman
<div id="DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2"><br>
<table style="border-top: 1px solid #D3D4DE;">
<tr>
<td style="width: 55px; padding-top: 13px;"><a href="https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.avg.com%2Femail-signature%3Futm_medium%3Demail%26utm_source%3Dlink%26utm_campaign%3Dsig-email%26utm_content%3Demailclient&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C90ae4d0afcf340577b6708d8d8a666c1%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497556483758989%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=XKXUUQA0OQMaVIHSnbMFZ2bFXiyiYtS0POaqiB8uDp4%3D&reserved=0" originalSrc="http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient" shash="sabgyX/MuJ6hTQl6bzD+ySexJ9WmDpI+/rO0S1bQ+r0www8C57zUBxx9oRdxs08b5DWDRko5ysXxqagZrAwLRoQcE6GbJ3g7tQkl0+JB5d3TueT0eJ+Rjpmpg+C0Zv15bu9yfe4/zFPXbe8nfE406d4QkoUl6ss++rkX0GI5rjI=" target="_blank"><img src="https://ipmcdn.avast.com/images/icons/icon-envelope-tick-green-avg-v1.png" alt="" width="46" height="29" style="width: 46px; height: 29px;"></a></td>
<td style="width: 470px; padding-top: 12px; color: #41424e; font-size: 13px; font-family: Arial, Helvetica, sans-serif; line-height: 18px;">Virus-free. <a href="https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.avg.com%2Femail-signature%3Futm_medium%3Demail%26utm_source%3Dlink%26utm_campaign%3Dsig-email%26utm_content%3Demailclient&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C90ae4d0afcf340577b6708d8d8a666c1%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497556483758989%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=XKXUUQA0OQMaVIHSnbMFZ2bFXiyiYtS0POaqiB8uDp4%3D&reserved=0" originalSrc="http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient" shash="sabgyX/MuJ6hTQl6bzD+ySexJ9WmDpI+/rO0S1bQ+r0www8C57zUBxx9oRdxs08b5DWDRko5ysXxqagZrAwLRoQcE6GbJ3g7tQkl0+JB5d3TueT0eJ+Rjpmpg+C0Zv15bu9yfe4/zFPXbe8nfE406d4QkoUl6ss++rkX0GI5rjI=" target="_blank" style="color: #4453ea;">www.avg.com</a>
</td>
</tr>
</table><a href="#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2" width="1" height="1"> </a></div></body>
</html>