<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body>
<div style="padding-bottom: 10px; padding-top: 5px;">
<div style="padding:12px; border:1px solid #8D3970; background-color:#F7F9FA; color:#8D3970; font-size:14px; line-height:22px; font-family: Calibri, Arial, Helvetica, sans-serif;">
<strong>CAUTION:</strong> This e-mail originated outside the University of Southampton.
</div>
</div>
<div>
<p><font size="2" face="sans-serif">Thank you David.</font><br>
<font size="2" face="sans-serif">We applied the procedure yesterday (I use RSS on
</font><a href="https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Ffiles.eprints.org%2F&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C91b87eaabc28417ba59908d8d8ac4f20%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497581855386739%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=nk%2Ba7Mpn3XnJIOo5wCDbOt4td%2BUVkqnRrIc%2FqQSrZr4%3D&amp;reserved=0" originalSrc="http://files.eprints.org/" shash="LV2d2aQKggZyeDYINKxgEf+Olooi8Jb6JYbBtqhxYMzkvdCp/43HsaGqlqbbGrfNXinQ+OiI0hEEw8jk/oDijcP1q+Kbr0WtyRb0rJ8w1qprZ3J21c92lNtC+PDltK+tuu2KN3utaEomO/HZWGdaUyji27tYMgPf/HsJqr3SDPM="><font size="2" face="sans-serif">http://files.eprints.org</font></a><font size="2" face="sans-serif">)
</font><font size="2" face="sans-serif">and everything worked fine.</font><br>
<br>
<font size="2" face="sans-serif">Kind regards,</font><br>
<br>
<font size="2" face="sans-serif">Martin</font><br>
<br>
<font size="2" face="sans-serif">--</font><br>
<font size="2" face="sans-serif">Dr. Martin Brändle</font><br>
<font size="2" face="sans-serif">Zentrale Informatik</font><br>
<font size="2" face="sans-serif">Universität Zürich</font><br>
<font size="2" face="sans-serif">Stampfenbachstr. 73</font><br>
<font size="2" face="sans-serif">CH-8006 Zürich</font><br>
<br>
<br>
<br>
<img width="16" height="16" src="cid:1__=4EBB0C15DFA41D958f9e8a93df9@lotus.uzh.ch" border="0" alt="Inactive hide details for &quot;David R Newman via Eprints-tech&quot; ---24/02/2021 10:44:46---Hi all, EPrints Services was recently made"><font size="2" color="#424282" face="sans-serif">&quot;David
 R Newman via Eprints-tech&quot; ---24/02/2021 10:44:46---Hi all, EPrints Services was recently made aware of a small number of security</font><br>
<br>
<font size="1" color="#5F5F5F" face="sans-serif">Von: </font><font size="1" face="sans-serif">&quot;David R Newman via Eprints-tech&quot; &lt;eprints-tech@ecs.soton.ac.uk&gt;</font><br>
<font size="1" color="#5F5F5F" face="sans-serif">An: </font><font size="1" face="sans-serif">&quot;eprints-tech@ecs.soton.ac.uk&quot; &lt;eprints-tech@ecs.soton.ac.uk&gt;</font><br>
<font size="1" color="#5F5F5F" face="sans-serif">Datum: </font><font size="1" face="sans-serif">24/02/2021 10:44</font><br>
<font size="1" color="#5F5F5F" face="sans-serif">Betreff: </font><font size="1" face="sans-serif">[EP-tech] EPrints Security Announcement - February 2020</font><br>
<font size="1" color="#5F5F5F" face="sans-serif">Gesendet von: </font><font size="1" face="sans-serif">&lt;eprints-tech-bounces@ecs.soton.ac.uk&gt;</font><br>
</p>
<hr width="100%" size="2" align="left" noshade="" style="color:#8091A5; ">
<br>
<br>
<br>
<font size="3" face="serif">Hi all, </font><br>
<font size="3" face="serif">EPrints Services was recently made aware of a small number of security vulnerabilities within the EPrints codebase, affecting both EPrints 3.4 and EPrints 3.3.</font><br>
<font size="3" face="serif">I have created two patch files to fix the vulnerabilities and uploaded them to
</font><a href="https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Ffiles.eprints.org%2F&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C91b87eaabc28417ba59908d8d8ac4f20%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497581855386739%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=nk%2Ba7Mpn3XnJIOo5wCDbOt4td%2BUVkqnRrIc%2FqQSrZr4%3D&amp;reserved=0" originalSrc="http://files.eprints.org/" shash="LV2d2aQKggZyeDYINKxgEf+Olooi8Jb6JYbBtqhxYMzkvdCp/43HsaGqlqbbGrfNXinQ+OiI0hEEw8jk/oDijcP1q+Kbr0WtyRb0rJ8w1qprZ3J21c92lNtC+PDltK+tuu2KN3utaEomO/HZWGdaUyji27tYMgPf/HsJqr3SDPM="><font size="3" color="#0000FF" face="serif"><u>files.eprints.org</u></font></a><font size="3" face="serif">.</font><br>
<br>
<font size="3" face="serif">- EPrints 3.4.2 : </font><a href="https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffiles.eprints.org%2F2548%2F&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C91b87eaabc28417ba59908d8d8ac4f20%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497581855396692%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=Fj%2FG0nddy4TxysDpaPJc10LCfe3kIoDcyCJf9De4u5w%3D&amp;reserved=0" originalSrc="https://files.eprints.org/2548/" shash="EAL8v9y3EEynOEV/DavlM3elv4dkvW2NNYK+oXjGin5gKbC6q9dmvp1q/blARzZoVEF2HXZGiJEBR7suuvxrrY98H64kVDYMMCnxoUI1IvltWJ5czlqy6TnkxXX+NEje0QuK3TkjfuaU02R4ID21Teq4psYoSAXNBpWFcQNQmWg="><font size="3" color="#0000FF" face="serif"><u>https://files.eprints.org/2548/</u></font></a><font size="3" face="serif">&nbsp;<br>
- EPrints 3.3.x : </font><a href="https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffiles.eprints.org%2F2549%2F&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C91b87eaabc28417ba59908d8d8ac4f20%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497581855396692%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=OBeJHaGxcmCk4Q0eEqmIKpem6aaetpLQHsGpVdbUfsM%3D&amp;reserved=0" originalSrc="https://files.eprints.org/2549/" shash="kNc95cPh4c8M5Pi29F1uoFYFOsNoAKF/jqWYJNoN2bj2FqKlGzdMHdjO2gmEheJuL0CHGRg/3UzSj3lJuNgzycLGntARFde0jOW0lCp7tYyquEy4PVv4dQobc97IOqgO5KnfFM3qvYL94/FHXz/HNq3fqEeEUhTCPapfInAfurQ="><font size="3" color="#0000FF" face="serif"><u>https://files.eprints.org/2549/</u></font></a><font size="3" face="serif">&nbsp;<br>
<br>
The former fixes the EPrints 3.4.2 release and the latter fixes EPrints 3.3 (based on the current HEAD of
</font><a href="https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Feprints%2Feprints&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C91b87eaabc28417ba59908d8d8ac4f20%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497581855396692%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=xmbiyrs5qlP6d%2BbWYNsU%2FN8qLJF6C4ty1qbLnHfVXhY%3D&amp;reserved=0" originalSrc="https://github.com/eprints/eprints" shash="xvQ3zWw+kuqu/oH3W7e7ja27CNNVkhEgFN0oxYdSdkrtgeJrGSwo6LPYpPpQUl+TG/9dgqBJdP9RResWphndwHPtKFnb2/JFJWiDUxysbwtmdqoTiBosuGN4ouUVtFQp5hAylRxeBZqdRkF8iXy25U3dvb+sCWLHzYsKejQWbUw="><font size="3" color="#0000FF" face="serif"><u>https://github.com/eprints/eprints</u></font></a><font size="3" face="serif">).
 These links also provide instructions on how to apply the patch file and some more details on the affected files. &nbsp;There are references to the Common Vulnerabilities and Exposure (CVE) IDs but as of now these are yet to be published. &nbsp;All the vulnerabilities
 identified relate to either Cross-Site Scripting (XSS) or Remote Code Execution (RCE) vulnerabilities. &nbsp;All of these vulnerabilities would require analysis of the codebase to determine an exploit. &nbsp;It is very unlikely that generic tools used to identify vulnerabilities
 would discover these, as specific knowledge is required. <br>
<br>
I have also updated to patch these vulnerabilities on both the eprints and eprints3.4 GitHub repositories for the eprints organisation (</font><a href="https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Feprints&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C91b87eaabc28417ba59908d8d8ac4f20%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497581855406647%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=bSfWAY%2FkIN%2BZ7MxdWb7Js6OWxyOKsdTrvpx0dMrsRJQ%3D&amp;reserved=0" originalSrc="https://github.com/eprints" shash="FYab610bQ2gaMO8LaZFmj1ieCp/Abbvew7vSbYcyWaCAL0qC8bwPTeFwifYRbcWbpFvvvTxLwjmBMoadCNZGuc4OCn6B/sPUeT1SBNUhPHvu7AWe2Tn6Y+z+nkqY+Ji45FNj0ivHreqyhvqe3RKwrZzgZhwH6mknHF/djqTotXY="><font size="3" color="#0000FF" face="serif"><u>https://github.com/eprints</u></font></a><font size="3" face="serif">).
 &nbsp;The next release of EPrints 3.4 (3.4.3) will have these security fixes in place.
<br>
<br>
EPrints Services customers both those who EPrints Services host and those that self-host have either been patched or where this has not been possible, informed of the vulnerabilities and how they can be fixed.<br>
<br>
If you have any follow-up questions please feel free to ask. Hopefully, the CVEs will be published shortly for those interested in more detail. &nbsp;However, they were raised by a third party, who I have only just given go-ahead to make these public.
<br>
<br>
Regards <br>
<br>
David Newman </font><br>
<br>
<table border="1">
<tbody>
<tr valign="top">
<td width="47" valign="middle">
<ul style="padding-left: 0pt; margin-left: 0px">
<a href="https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.avg.com%2Femail-signature%3Futm_medium%3Demail%26utm_source%3Dlink%26utm_campaign%3Dsig-email%26utm_content%3Demailclient&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C91b87eaabc28417ba59908d8d8ac4f20%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497581855406647%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=zVwmLk7FOd4GjYJhgGe9vIdd3%2FmUZtzuJGGmgW5TbQ8%3D&amp;reserved=0" originalSrc="http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient" shash="YBcSG3R1vRrm8Zah/KlxOK3RMhcUhyv9bJUQoE+NmbvWZb4kCFbn7+SXDjb/vJEtlDqeVnUnsmiu0+NAXBhWflV1Q8GnGvJstRIAl94zBBV7A96+YxxnV1dsZEDNfQvXr3oOj0POQMBLQpbjhv8bjvRk3UmWcgLnhzRXaBSB0lU=" target="_blank"></a></ul>
</td>
<td width="139" valign="middle">
<ul style="padding-left: 0pt; margin-left: 0px">
<font size="2" color="#41424E" face="Arial">Virus-free. </font><a href="https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.avg.com%2Femail-signature%3Futm_medium%3Demail%26utm_source%3Dlink%26utm_campaign%3Dsig-email%26utm_content%3Demailclient&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C91b87eaabc28417ba59908d8d8ac4f20%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497581855416605%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=6R7i8olcGv8mLE4gR8NCFjQlV9oGwkpUArXx7%2F2%2FZvo%3D&amp;reserved=0" originalSrc="http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient" shash="LVSVbVB8yspRZNydjLwaheD/X0E1yFnhl71fWibyRFvoKw8dHZidF3LP8Ye7T+kFIdGsmUnTrDd1uqSm0/bibxxGydIGJb6VF++EL2Z6FLpQahdi51qAWiJBIQ9/qdUE+ts5ggD2XW6hjSOlWpnlmHfwoohp2Gxg8hI2ErgyUwQ=" target="_blank"><font size="2" color="#4453EA" face="Arial"><u>www.avg.com</u></font></a><font size="2" color="#41424E" face="Arial">&nbsp;</font></ul>
</td>
</tr>
</tbody>
</table>
<a href="#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2"></a><tt><font size="2">*** Options:
</font></tt><tt><font size="2"><a href="http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech">http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech</a></font></tt><tt><font size="2"><br>
*** Archive: </font></tt><tt><font size="2"><a href="https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.eprints.org%2Ftech.php%2F&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C91b87eaabc28417ba59908d8d8ac4f20%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497581855416605%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=ES%2Fna6ha8XRh8Zq13AiRzf%2BmE9PQN7TNe33sXP47g6E%3D&amp;reserved=0" originalSrc="http://www.eprints.org/tech.php/" shash="sDrvpFzJMN8YF+WVeWuPN7WBlQ2qwn8/Tw3mENN1CA5WvvQCIa6Ck+VAcpSGDdLLa717ec2niBcoeSCMRzgJPOwIGDSI4Nus7ElVMy/bCZz4OWRXmjKgdPW0mJxF724SzznBIp/D+MYAYZqkbNzOeXxxv1Q6+9+OyzzPtL5cGXI=">http://www.eprints.org/tech.php/</a></font></tt><tt><font size="2"><br>
*** EPrints community wiki: </font></tt><tt><font size="2"><a href="https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwiki.eprints.org%2F&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C91b87eaabc28417ba59908d8d8ac4f20%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497581855426563%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=cbAU3DgOnPhPbhe%2FssYzGnAgM5BpBC60wozGNSNk%2FZ0%3D&amp;reserved=0" originalSrc="http://wiki.eprints.org/" shash="uItE8j1twqCSDast02a+bN4JSLaeZ7BoWspNud5n3UtHBHGD99zcXvUbJYe/FkwgF4KSvmXUUa/ELZjjoPVEWZN/uNuCHJffFV/WemKjdt107bzvfTRCJ7wMMwvKGj5obuEWm8SVouSZcSCR9aYMKVN0RNdHHU+cB77Uhmzd6ns=">http://wiki.eprints.org/</a></font></tt><br>
<br>
</div>
</body>
</html>