<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body>
<div style="padding-bottom: 10px; padding-top: 5px;">
<div style="padding:12px; border:1px solid #8D3970; background-color:#F7F9FA; color:#8D3970; font-size:14px; line-height:22px; font-family: Calibri, Arial, Helvetica, sans-serif;">
<strong>CAUTION:</strong> This e-mail originated outside the University of Southampton.
</div>
</div>
<div>
<p><font size="2" face="sans-serif">Thank you David.</font><br>
<font size="2" face="sans-serif">We applied the procedure yesterday (I use RSS on
</font><a href="https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Ffiles.eprints.org%2F&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C91b87eaabc28417ba59908d8d8ac4f20%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497581855386739%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=nk%2Ba7Mpn3XnJIOo5wCDbOt4td%2BUVkqnRrIc%2FqQSrZr4%3D&reserved=0" originalSrc="http://files.eprints.org/" shash="LV2d2aQKggZyeDYINKxgEf+Olooi8Jb6JYbBtqhxYMzkvdCp/43HsaGqlqbbGrfNXinQ+OiI0hEEw8jk/oDijcP1q+Kbr0WtyRb0rJ8w1qprZ3J21c92lNtC+PDltK+tuu2KN3utaEomO/HZWGdaUyji27tYMgPf/HsJqr3SDPM="><font size="2" face="sans-serif">http://files.eprints.org</font></a><font size="2" face="sans-serif">)
</font><font size="2" face="sans-serif">and everything worked fine.</font><br>
<br>
<font size="2" face="sans-serif">Kind regards,</font><br>
<br>
<font size="2" face="sans-serif">Martin</font><br>
<br>
<font size="2" face="sans-serif">--</font><br>
<font size="2" face="sans-serif">Dr. Martin Brändle</font><br>
<font size="2" face="sans-serif">Zentrale Informatik</font><br>
<font size="2" face="sans-serif">Universität Zürich</font><br>
<font size="2" face="sans-serif">Stampfenbachstr. 73</font><br>
<font size="2" face="sans-serif">CH-8006 Zürich</font><br>
<br>
<br>
<br>
<img width="16" height="16" src="cid:1__=4EBB0C15DFA41D958f9e8a93df9@lotus.uzh.ch" border="0" alt="Inactive hide details for "David R Newman via Eprints-tech" ---24/02/2021 10:44:46---Hi all, EPrints Services was recently made"><font size="2" color="#424282" face="sans-serif">"David
R Newman via Eprints-tech" ---24/02/2021 10:44:46---Hi all, EPrints Services was recently made aware of a small number of security</font><br>
<br>
<font size="1" color="#5F5F5F" face="sans-serif">Von: </font><font size="1" face="sans-serif">"David R Newman via Eprints-tech" <eprints-tech@ecs.soton.ac.uk></font><br>
<font size="1" color="#5F5F5F" face="sans-serif">An: </font><font size="1" face="sans-serif">"eprints-tech@ecs.soton.ac.uk" <eprints-tech@ecs.soton.ac.uk></font><br>
<font size="1" color="#5F5F5F" face="sans-serif">Datum: </font><font size="1" face="sans-serif">24/02/2021 10:44</font><br>
<font size="1" color="#5F5F5F" face="sans-serif">Betreff: </font><font size="1" face="sans-serif">[EP-tech] EPrints Security Announcement - February 2020</font><br>
<font size="1" color="#5F5F5F" face="sans-serif">Gesendet von: </font><font size="1" face="sans-serif"><eprints-tech-bounces@ecs.soton.ac.uk></font><br>
</p>
<hr width="100%" size="2" align="left" noshade="" style="color:#8091A5; ">
<br>
<br>
<br>
<font size="3" face="serif">Hi all, </font><br>
<font size="3" face="serif">EPrints Services was recently made aware of a small number of security vulnerabilities within the EPrints codebase, affecting both EPrints 3.4 and EPrints 3.3.</font><br>
<font size="3" face="serif">I have created two patch files to fix the vulnerabilities and uploaded them to
</font><a href="https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Ffiles.eprints.org%2F&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C91b87eaabc28417ba59908d8d8ac4f20%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497581855386739%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=nk%2Ba7Mpn3XnJIOo5wCDbOt4td%2BUVkqnRrIc%2FqQSrZr4%3D&reserved=0" originalSrc="http://files.eprints.org/" shash="LV2d2aQKggZyeDYINKxgEf+Olooi8Jb6JYbBtqhxYMzkvdCp/43HsaGqlqbbGrfNXinQ+OiI0hEEw8jk/oDijcP1q+Kbr0WtyRb0rJ8w1qprZ3J21c92lNtC+PDltK+tuu2KN3utaEomO/HZWGdaUyji27tYMgPf/HsJqr3SDPM="><font size="3" color="#0000FF" face="serif"><u>files.eprints.org</u></font></a><font size="3" face="serif">.</font><br>
<br>
<font size="3" face="serif">- EPrints 3.4.2 : </font><a href="https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffiles.eprints.org%2F2548%2F&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C91b87eaabc28417ba59908d8d8ac4f20%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497581855396692%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Fj%2FG0nddy4TxysDpaPJc10LCfe3kIoDcyCJf9De4u5w%3D&reserved=0" originalSrc="https://files.eprints.org/2548/" shash="EAL8v9y3EEynOEV/DavlM3elv4dkvW2NNYK+oXjGin5gKbC6q9dmvp1q/blARzZoVEF2HXZGiJEBR7suuvxrrY98H64kVDYMMCnxoUI1IvltWJ5czlqy6TnkxXX+NEje0QuK3TkjfuaU02R4ID21Teq4psYoSAXNBpWFcQNQmWg="><font size="3" color="#0000FF" face="serif"><u>https://files.eprints.org/2548/</u></font></a><font size="3" face="serif"> <br>
- EPrints 3.3.x : </font><a href="https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffiles.eprints.org%2F2549%2F&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C91b87eaabc28417ba59908d8d8ac4f20%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497581855396692%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=OBeJHaGxcmCk4Q0eEqmIKpem6aaetpLQHsGpVdbUfsM%3D&reserved=0" originalSrc="https://files.eprints.org/2549/" shash="kNc95cPh4c8M5Pi29F1uoFYFOsNoAKF/jqWYJNoN2bj2FqKlGzdMHdjO2gmEheJuL0CHGRg/3UzSj3lJuNgzycLGntARFde0jOW0lCp7tYyquEy4PVv4dQobc97IOqgO5KnfFM3qvYL94/FHXz/HNq3fqEeEUhTCPapfInAfurQ="><font size="3" color="#0000FF" face="serif"><u>https://files.eprints.org/2549/</u></font></a><font size="3" face="serif"> <br>
<br>
The former fixes the EPrints 3.4.2 release and the latter fixes EPrints 3.3 (based on the current HEAD of
</font><a href="https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Feprints%2Feprints&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C91b87eaabc28417ba59908d8d8ac4f20%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497581855396692%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=xmbiyrs5qlP6d%2BbWYNsU%2FN8qLJF6C4ty1qbLnHfVXhY%3D&reserved=0" originalSrc="https://github.com/eprints/eprints" shash="xvQ3zWw+kuqu/oH3W7e7ja27CNNVkhEgFN0oxYdSdkrtgeJrGSwo6LPYpPpQUl+TG/9dgqBJdP9RResWphndwHPtKFnb2/JFJWiDUxysbwtmdqoTiBosuGN4ouUVtFQp5hAylRxeBZqdRkF8iXy25U3dvb+sCWLHzYsKejQWbUw="><font size="3" color="#0000FF" face="serif"><u>https://github.com/eprints/eprints</u></font></a><font size="3" face="serif">).
These links also provide instructions on how to apply the patch file and some more details on the affected files. There are references to the Common Vulnerabilities and Exposure (CVE) IDs but as of now these are yet to be published. All the vulnerabilities
identified relate to either Cross-Site Scripting (XSS) or Remote Code Execution (RCE) vulnerabilities. All of these vulnerabilities would require analysis of the codebase to determine an exploit. It is very unlikely that generic tools used to identify vulnerabilities
would discover these, as specific knowledge is required. <br>
<br>
I have also updated to patch these vulnerabilities on both the eprints and eprints3.4 GitHub repositories for the eprints organisation (</font><a href="https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Feprints&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C91b87eaabc28417ba59908d8d8ac4f20%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497581855406647%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=bSfWAY%2FkIN%2BZ7MxdWb7Js6OWxyOKsdTrvpx0dMrsRJQ%3D&reserved=0" originalSrc="https://github.com/eprints" shash="FYab610bQ2gaMO8LaZFmj1ieCp/Abbvew7vSbYcyWaCAL0qC8bwPTeFwifYRbcWbpFvvvTxLwjmBMoadCNZGuc4OCn6B/sPUeT1SBNUhPHvu7AWe2Tn6Y+z+nkqY+Ji45FNj0ivHreqyhvqe3RKwrZzgZhwH6mknHF/djqTotXY="><font size="3" color="#0000FF" face="serif"><u>https://github.com/eprints</u></font></a><font size="3" face="serif">).
The next release of EPrints 3.4 (3.4.3) will have these security fixes in place.
<br>
<br>
EPrints Services customers both those who EPrints Services host and those that self-host have either been patched or where this has not been possible, informed of the vulnerabilities and how they can be fixed.<br>
<br>
If you have any follow-up questions please feel free to ask. Hopefully, the CVEs will be published shortly for those interested in more detail. However, they were raised by a third party, who I have only just given go-ahead to make these public.
<br>
<br>
Regards <br>
<br>
David Newman </font><br>
<br>
<table border="1">
<tbody>
<tr valign="top">
<td width="47" valign="middle">
<ul style="padding-left: 0pt; margin-left: 0px">
<a href="https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.avg.com%2Femail-signature%3Futm_medium%3Demail%26utm_source%3Dlink%26utm_campaign%3Dsig-email%26utm_content%3Demailclient&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C91b87eaabc28417ba59908d8d8ac4f20%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497581855406647%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=zVwmLk7FOd4GjYJhgGe9vIdd3%2FmUZtzuJGGmgW5TbQ8%3D&reserved=0" originalSrc="http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient" shash="YBcSG3R1vRrm8Zah/KlxOK3RMhcUhyv9bJUQoE+NmbvWZb4kCFbn7+SXDjb/vJEtlDqeVnUnsmiu0+NAXBhWflV1Q8GnGvJstRIAl94zBBV7A96+YxxnV1dsZEDNfQvXr3oOj0POQMBLQpbjhv8bjvRk3UmWcgLnhzRXaBSB0lU=" target="_blank"></a></ul>
</td>
<td width="139" valign="middle">
<ul style="padding-left: 0pt; margin-left: 0px">
<font size="2" color="#41424E" face="Arial">Virus-free. </font><a href="https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.avg.com%2Femail-signature%3Futm_medium%3Demail%26utm_source%3Dlink%26utm_campaign%3Dsig-email%26utm_content%3Demailclient&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C91b87eaabc28417ba59908d8d8ac4f20%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497581855416605%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=6R7i8olcGv8mLE4gR8NCFjQlV9oGwkpUArXx7%2F2%2FZvo%3D&reserved=0" originalSrc="http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient" shash="LVSVbVB8yspRZNydjLwaheD/X0E1yFnhl71fWibyRFvoKw8dHZidF3LP8Ye7T+kFIdGsmUnTrDd1uqSm0/bibxxGydIGJb6VF++EL2Z6FLpQahdi51qAWiJBIQ9/qdUE+ts5ggD2XW6hjSOlWpnlmHfwoohp2Gxg8hI2ErgyUwQ=" target="_blank"><font size="2" color="#4453EA" face="Arial"><u>www.avg.com</u></font></a><font size="2" color="#41424E" face="Arial"> </font></ul>
</td>
</tr>
</tbody>
</table>
<a href="#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2"></a><tt><font size="2">*** Options:
</font></tt><tt><font size="2"><a href="http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech">http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech</a></font></tt><tt><font size="2"><br>
*** Archive: </font></tt><tt><font size="2"><a href="https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.eprints.org%2Ftech.php%2F&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C91b87eaabc28417ba59908d8d8ac4f20%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497581855416605%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=ES%2Fna6ha8XRh8Zq13AiRzf%2BmE9PQN7TNe33sXP47g6E%3D&reserved=0" originalSrc="http://www.eprints.org/tech.php/" shash="sDrvpFzJMN8YF+WVeWuPN7WBlQ2qwn8/Tw3mENN1CA5WvvQCIa6Ck+VAcpSGDdLLa717ec2niBcoeSCMRzgJPOwIGDSI4Nus7ElVMy/bCZz4OWRXmjKgdPW0mJxF724SzznBIp/D+MYAYZqkbNzOeXxxv1Q6+9+OyzzPtL5cGXI=">http://www.eprints.org/tech.php/</a></font></tt><tt><font size="2"><br>
*** EPrints community wiki: </font></tt><tt><font size="2"><a href="https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwiki.eprints.org%2F&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C91b87eaabc28417ba59908d8d8ac4f20%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497581855426563%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=cbAU3DgOnPhPbhe%2FssYzGnAgM5BpBC60wozGNSNk%2FZ0%3D&reserved=0" originalSrc="http://wiki.eprints.org/" shash="uItE8j1twqCSDast02a+bN4JSLaeZ7BoWspNud5n3UtHBHGD99zcXvUbJYe/FkwgF4KSvmXUUa/ELZjjoPVEWZN/uNuCHJffFV/WemKjdt107bzvfTRCJ7wMMwvKGj5obuEWm8SVouSZcSCR9aYMKVN0RNdHHU+cB77Uhmzd6ns=">http://wiki.eprints.org/</a></font></tt><br>
<br>
</div>
</body>
</html>