<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body>
<p>Hi James,</p>
<p>If you need to patch 3.3.x then only the following files need to
be updated:</p>
<p>cgi/latex2png - This just needs to be removed as it is a legacy
script and is not used by standard EPrints 3.3 repositories.
Therefore, the fix is identical whatever version of 3.3 you are
on.</p>
<p>cgi/ajax/phrase - This was last modified in April 2012 so any
release of 3.3 from 3.3.9 onwards should be fixable using the
available patch file. This last modification was quite signficant
so this may effect the patch file from being able to patch its
vulnerability for earlier versions of 3.3.<br>
</p>
<p>perl_lib/EPrints/XML.pm (change needed for cgi/ajax/phrase
vulnerability) - This has only had a couple of minor changes since
December 2011 (3.3.7). Therefore, I think the patch file is
likely to work but I cannot be certain.</p>
<p>perl_lib/EPrints/XML/LibXML.pm (change needed for cgi/ajax/phrase
vulnerability) - This has only had a minor change since September
2011 (3.3.6). Therefore, I think the patch file is likely to work
but I cannot be certain.</p>
<p>cgi/toolbox/toolbox - This has not been modified since June 2011,
so I think the patch file should work for all versions of 3.3.</p>
<p>Regards</p>
<p>David Newman<br>
</p>
<div class="moz-cite-prefix">On 24/02/2021 13:38, James Kerwin
wrote:<br>
</div>
<blockquote type="cite" cite="mid:CAKkNZ9CKbyusaou8dPWdjtW53JPAwdeRwQ5d-ypHmjJ7DDvy8A@mail.gmail.com">
<div style="padding-bottom: 10px; padding-top: 5px;">
<div style="padding:12px; border:1px solid #8D3970;
background-color:#F7F9FA; color:#8D3970; font-size:14px;
line-height:22px; font-family: Calibri, Arial, Helvetica,
sans-serif;">
<strong>CAUTION:</strong> This e-mail originated outside the
University of Southampton.
</div>
</div>
<div>
<div dir="ltr">Hi David,
<div><br>
</div>
<div>Thank you very much for bringing this to our attention
and providing the solutions.</div>
<div><br>
</div>
<div>Shamefully, we are still on 3.3.14 (I promise we are
upgrading this year). The patch mentioned works on 3.3.16
and the page says it might work on earlier versions (a brief
look through two of the files suggests they're more or less
the same as those for 3.3.16)</div>
<div><br>
</div>
<div>In my attempt to avoid any problems that could result
from "might" are these the files that need altering if I
were to do it manually:</div>
<div><br>
</div>
<div> /cgi/ajax/phrase : CVE-2021-26703</div>
<div>/cgi/latex2png : CVE-2021-3342</div>
<div>/cgi/toolbox/toolbox : CVE-2021-26704<br>
</div>
<div><br>
</div>
<div>There also appears to be some changes to be made to
XML.pm</div>
<div><br>
</div>
<div>Am I interpreting it correctly where it looks as though
latex2png will be left as an empty file (deleted) by the
end?</div>
<div><br>
</div>
<div>I think the page makes it very clear that these are the
files that are affected, but I just want to check there
aren't any others that the patch addresses. I have looked at
the patch, but I try not to underestimate my ability to
totally misunderstand the most obvious of things.</div>
<div><br>
</div>
<div>My plan is to try the command first on a test EPrints
server and if it doesn't work, do it manually.<br>
<br>
Thanks,</div>
<div>James</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Wed, Feb 24, 2021 at 9:27
AM David R Newman via Eprints-tech <<a href="mailto:eprints-tech@ecs.soton.ac.uk" moz-do-not-send="true">eprints-tech@ecs.soton.ac.uk</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div>
<p>Hi all, <br>
</p>
<div>
<div style="margin:0px;font-stretch:normal;line-height:normal"><span style="font-variant-ligatures:no-common-ligatures"><span>EPrints
Services was recently made aware of a small number
of security vulnerabilities within the EPrints
codebase, affecting both EPrints 3.4 and EPrints
3.3.</span></span></div>
<div style="margin:0px;font-stretch:normal;line-height:normal"><span style="font-variant-ligatures:no-common-ligatures"><span>I
have created two patch files to fix the
vulnerabilities and uploaded them to
<a href="https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Ffiles.eprints.org%2F&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7Cb24bf4873c1f4a745a3308d8d8d41910%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497752764280767%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=FM75r6%2FClbka7E4qaKEMZgA3Qj0WFIKpQVjyfdSh0us%3D&reserved=0" originalSrc="http://files.eprints.org/" shash="gzkseADRVe8UpRpIbvW3/sx5OjIUXXp8su91WhQ6yFhs4bWNaIatZsVJIi4Jy6dA9KpWOnoosDw9yn4+O8Gaon4z/BolCUJddwhHtY9mqRoQ4B9jxelS0lmRGAlgzclt09NDrXY3w/0EYFQ8LIOEUlQ5RE1vDd0chU12iroDcBg=" originalsrc="http://files.eprints.org/" shash="XZxm19tW+ezIAxlCq0aIeKVGJ08WXlszfD7jMn/rOqTqwyNxM/8+jQyOK5HWH8/z3nxRCj765AA5W3ev6dgqf7rHePEn4vkRw1E3TiVuqYeDoNPVlpX6PzqkhNZzg6dRzcoTDjldErZBe+hLMRH3wO9WI7sYwap88tWAzK10g9Q=" target="_blank" moz-do-not-send="true">
files.eprints.org</a>.</span></span></div>
</div>
<div><br>
</div>
- EPrints 3.4.2 : <a href="https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffiles.eprints.org%2F2548%2F&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7Cb24bf4873c1f4a745a3308d8d8d41910%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497752764280767%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=u8X29MQi02ID7AKmapypfphyqU8H6AQudR7xNOdxAug%3D&reserved=0" originalSrc="https://files.eprints.org/2548/" shash="mm016D4+/Gz1F6LDpspIhcEBpKaXZwqHLP6eoxVDBCTtagJ3mo3VQPa1M8Nbh1i4W2nuhnKsv+aoj9IeSHJIEyD+m4KhnTt1g5gnVjhN84eAhGU6RiK9pBtTwuEtVv7Oz+nZu5L565WriJXIaIfnoKqh13LtJd8mNktm1rukQBc=" originalsrc="https://files.eprints.org/2548/" shash="MXufwfKNmz1VJRG9F5MPow+GDC8sD6x1yrLNsZ1rYhiraRpewSBEp879WsgK5F6CtTw1Pnj1ib2PqOcEu5FDozrUxmPvczA6YRQKejKHReybP4K2XpttUcm/GzmnOQoAo4vdU3HXyr7ZN5aNoF5q+7wf8m5Of6POCDKzBY3Woww=" target="_blank" moz-do-not-send="true">
https://files.eprints.org/2548/</a> <br>
- EPrints 3.3.x : <a href="https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffiles.eprints.org%2F2549%2F&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7Cb24bf4873c1f4a745a3308d8d8d41910%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497752764290723%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=nfUElF5tnBKwC2LNpYha5qaYS6p%2BzJZjF%2FyosqCOeUs%3D&reserved=0" originalSrc="https://files.eprints.org/2549/" shash="fi8EVLYufF485afUzd25scqCidwKsOOmTdffZAawGB3gmxllTo/pDZjO0eHI3rH80oUOji8Aok5dPQv6Oev2og/bD2AZjYLTERkJ7XtD9I792/SepsoHT9ivxFp65g4CUEwnGkvnMaOxLF6BTo+1HWX/OSl9Ze+1jF2erE4vi3s=" originalsrc="https://files.eprints.org/2549/" shash="v8eusvugTY99YC8zdS4v8SrYoiuXhVmyss5Q0CYY6585jRgjmCmTx5gZOF+RXTRQ7wju7xSk3kHy2Nws4dzi6QSm22WxSg3SdRb2Rnz+jKh6BWMpcbEjZagg66lR+ry8YfceoFrF5ZpkX8NQJmR/EdEH1bTSLjlpjziXhZbrFUM=" target="_blank" moz-do-not-send="true">
https://files.eprints.org/2549/</a> <br>
<br>
The former fixes the EPrints 3.4.2 release and the latter
fixes EPrints 3.3 (based on the current HEAD of
<a href="https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Feprints%2Feprints&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7Cb24bf4873c1f4a745a3308d8d8d41910%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497752764290723%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=NdJxQ2XnbUnUf%2BHZ0YxHm11xu%2BDJADtghGXb%2FUvrJaA%3D&reserved=0" originalSrc="https://github.com/eprints/eprints" shash="ablTJze9j5KkVnlknavpJjMIO4kBtdCQELCYJXMgo+M8BS7VfNL/mWQ1ICc2vZzFKN1Zr3HNPpJLNba4iBEhsN8YhiRaX8LLen81eI6djbOfSg+oDeMeYuuZdpC84s5Izs/qzWdPBTDn+vfKTalXircVThxdwEr+0qIvx0irzAM=" originalsrc="https://github.com/eprints/eprints" shash="HfRg5Q+ZXBuy0yYuiSxWkdPwW7dGpwaQZ2YxUGOdFEwoXkAJTNL+g+sBt9xq5w8Oh9r1LVRGP8tq1v/JoVFFqY2jVTqyiE7XCR0IuwOwhqFxJamfF3E78Db30OIYSvFdPsNts1+O4nJIQajSgMnIUGuRMWhFmhDw+1or0MU3aPs=" target="_blank" moz-do-not-send="true">
https://github.com/eprints/eprints</a>). These links
also provide instructions on how to apply the patch file
and some more details on the affected files. There are
references to the Common Vulnerabilities and Exposure
(CVE) IDs but as of now these are yet to be published.
All the vulnerabilities identified relate to either
Cross-Site Scripting (XSS) or Remote Code Execution (RCE)
vulnerabilities. All of these vulnerabilities would
require analysis of the codebase to determine an exploit.
It is very unlikely that generic tools used to identify
vulnerabilities would discover these, as specific
knowledge is required.
<br>
<br>
I have also updated to patch these vulnerabilities on both
the eprints and eprints3.4 GitHub repositories for the
eprints organisation (<a href="https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Feprints&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7Cb24bf4873c1f4a745a3308d8d8d41910%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497752764300680%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=eQROSthhLkULhLmHvJgJImwrwpJPD8D7LDFGv1Leb7Y%3D&reserved=0" originalSrc="https://github.com/eprints" shash="HSmQbsRnsP6+JjSjZeaJH8mi95An0b+bi6h0FUuAHNYYrWXT4T8fmtA+sZxkt/RN9+cu/GZpPqTDuLQcrlyZSENrpJbH2HkkcNrivp3buy2E4M57V4ko9E9CaSoFfkszeRQ/bQq1RsKT2UUqB04MDaSNnixLGsr28mAFDUVVOlM=" originalsrc="https://github.com/eprints" shash="qmJMYUwQUkOi2JZ6TJQQ1vsIKw75eHUcdngmrb/Yz9wvmLeIzi3r9vxe7FOWBSXqnC9Ox5Z3Ul4d8Qu/vU9qU3ZH/HfCYqTR00w9G2kwLpyaPV5k8HB7KzB3+aRhZX0skd9xmteP8FMZiY2l9nIkMEMtmK/CQKHS0wC84m6BrQI=" target="_blank" moz-do-not-send="true">https://github.com/eprints</a>).
The next release of EPrints 3.4 (3.4.3) will have these
security fixes in place.
<br>
<br>
EPrints Services customers both those who EPrints Services
host and those that self-host have either been patched or
where this has not been possible, informed of the
vulnerabilities and how they can be fixed.<br>
<br>
If you have any follow-up questions please feel free to
ask. Hopefully, the CVEs will be published shortly for
those interested in more detail. However, they were
raised by a third party, who I have only just given
go-ahead to make these public.
<br>
<br>
Regards <br>
<br>
David Newman
<div id="gmail-m_135838354472599755DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2"><br>
<table style="border-top:1px solid rgb(211,212,222)">
<tbody>
<tr>
<td style="width:55px;padding-top:13px"><a href="https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.avg.com%2Femail-signature%3Futm_medium%3Demail%26utm_source%3Dlink%26utm_campaign%3Dsig-email%26utm_content%3Demailclient&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7Cb24bf4873c1f4a745a3308d8d8d41910%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497752764300680%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=1edPfFAxK7j%2BIbaH5uDyrdNiaBDLpOfVSEu6uDDE3wU%3D&reserved=0" originalSrc="http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient" shash="I67QV3ZPpAkFjI2yiI9it4eq1LSX2CnMkoqrc09bw959kUCUoVz+QsQhrnlBiVtLvHJitnSzu47ypWQBDMq2Egjn/1nTJbbRgMDoo+Yk+OpuwEqxqGDv7bNBZEKlGJ07KgmXw3lNpc4IPh3JRwtgEcTdUZm+OTB+Iwb6FxabHm0=" originalsrc="http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient" shash="Oeevjn1dxoRVuTYsSJiVGjP2gEFi9oHS139AS5yA+9Cm6U6mxZ39bgB9gsyLWDOwmwkw1yH5SKDSTk/MEQXjNnckJ3u4DZRFAQGXWv3x2xXqusuLDRMX7jbXhz5p7gL0P8cFwXCXrGi9NizbtKF+0a3eSA1NpC4UH2wkgYrHwos=" target="_blank" moz-do-not-send="true"><img src="https://ipmcdn.avast.com/images/icons/icon-envelope-tick-green-avg-v1.png" alt="" style="width: 46px; height: 29px;" moz-do-not-send="true" width="46" height="29"></a></td>
<td style="width:470px;padding-top:12px;color:rgb(65,66,78);font-size:13px;font-family:Arial,Helvetica,sans-serif;line-height:18px">Virus-free.
<a href="https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.avg.com%2Femail-signature%3Futm_medium%3Demail%26utm_source%3Dlink%26utm_campaign%3Dsig-email%26utm_content%3Demailclient&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7Cb24bf4873c1f4a745a3308d8d8d41910%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497752764310635%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=%2FI1zw8v11vMJeO3aCGwk%2F7L6apqn%2BtFmcRuPzXQ3e2E%3D&reserved=0" originalSrc="http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient" shash="JSEnhT0Ci97+Blq+GpDcnqsXmgN2ysX9ewMQI+jQwCWnXfeu9OnruT94+lZO06UrgvzMUcXstOgISCw5uYTjNtCYOFbayQOYoT3K8YQULwkLY/I28wo6H6DJYBNb8eSaZdI5FbwY1hoA5CZYj/jPAQEYxbnMXvd2GbIJ5j4VPUk=" originalsrc="http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient" shash="Oeevjn1dxoRVuTYsSJiVGjP2gEFi9oHS139AS5yA+9Cm6U6mxZ39bgB9gsyLWDOwmwkw1yH5SKDSTk/MEQXjNnckJ3u4DZRFAQGXWv3x2xXqusuLDRMX7jbXhz5p7gL0P8cFwXCXrGi9NizbtKF+0a3eSA1NpC4UH2wkgYrHwos=" style="color:rgb(68,83,234)" target="_blank" moz-do-not-send="true">
www.avg.com</a> </td>
</tr>
</tbody>
</table>
</div>
</div>
*** Options: <a href="http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech" rel="noreferrer" target="_blank" moz-do-not-send="true">
http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech</a><br>
*** Archive: <a href="https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.eprints.org%2Ftech.php%2F&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7Cb24bf4873c1f4a745a3308d8d8d41910%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497752764310635%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=U1SSn05fRXeNX3nkx%2FhzfmEDl1XKxq%2Bc%2Fn%2FiN95iPP8%3D&reserved=0" originalSrc="http://www.eprints.org/tech.php/" shash="cpT+Z3n9f4zK7QmrY25i/WUmoYlspi0IYosS4GcylC+LbSBqdi9IZSKX08fo2YjUwWyAY6fe+L24HjNzBnKSI3PK2gW1k+Qaz+QdDMNB9pZ+iKjpyLSynpoIKTMFP1L5C4gx4HjEXXQfJ/Bp5zqwQjI2tQGYUUlPgn81uGH4ED4=" originalsrc="http://www.eprints.org/tech.php/" shash="uXRmRmGBwXvuF41EI13G/wETDeb0szoEICrtuA5StV/7CzTXCqA5xe6DxFmfWzPP1VW2Jc30j/iTolhb2DbyexZXzj3iDm6a3qNZ6VdXXuK94InpuLcbOvNmAIT0GABljsHRCtDNwQsjWnxazkfgRuv/Nh7Y2TOjDANU0Qmh25A=" rel="noreferrer" target="_blank" moz-do-not-send="true">
http://www.eprints.org/tech.php/</a><br>
*** EPrints community wiki: <a href="https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwiki.eprints.org%2F&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7Cb24bf4873c1f4a745a3308d8d8d41910%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497752764320593%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=5BZwF4hBle9O8%2BLCOxQcDKLTpkIQyNr1pPXQN04sf6g%3D&reserved=0" originalSrc="http://wiki.eprints.org/" shash="wHAkjZrDZXnYOPAO+b1ShvzjUv8k8mh1FUNUkAb6iSZnuzuntBsyAAYFvS74PE6dGwBLuTrm4uh1VcFN+aojOWiNaFFFADf/FwbB45iN7pOKD+DGqDq7mRiKWZkguEMASsoXSKaDGr4Cr12vsM0qEYb0oWo5zG2OY7uqJaOhVcE=" originalsrc="http://wiki.eprints.org/" shash="AZwxl9nDboIvVM4wA08jBL3D2z5/Ntm4OqikdexmyGDzlVCQjqbTe2sQId97GCwIKTj7SEYjo+kEtMeYqkqCbBJ82jrdU1cSiD1AJHw9gfclMRfqe5IKcz25APSIhOj0PTo2CPRcmydLkQXtDXwOwvbrSX/hnJ2QcyBejI2Lsd0=" rel="noreferrer" target="_blank" moz-do-not-send="true">
http://wiki.eprints.org/</a></blockquote>
</div>
</div>
</blockquote>
</body>
</html>