Security release: Talkyard v0.2021.38
Upgrade to Talkyard v0.2021.38, if you're self hosted and have disabled automatic upgrades.
If you have auto upgrades enabled, your Talkyard site (if any), should have upgraded itself automatically last night. — Sites hosted by us have also been upgraded.
Security fixes
This version (actually, some earlier versions), fixes two security problems:
- Host header injection: Possible account takeover via fake reset password links. Affected self hosted sites only.
See: https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25980.
Thanks WhiteSource Vulnerability Research Team (WVR) for reporting.
(We (well, I) were unaware about this vulnerability.) - Bad session management: There wasn't a real way to log out.
See: https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25981.
Thanks WhiteSource WVR for reporting.
(We were aware about this and had slowly started working on a fix, but it took long, to a large part because of trickiness with cookies usually not working iniframes.)
Log4j2
This new Ty version (i.e. v0.2021.38) also deals with a Log4j2 Remote Code Execution (RCE) security bug. Turns out Talkyard wasn't vulnerable — Ty uses a newer & safer version of JVM 8 — but we've upgraded Log4j2 in any case.
About the Log4j2 RCE, see: https://www.lunasec.io/docs/blog/log4j-zero-day/ and https://news.ycombinator.com/item?id=29504755.
Talkyard uses ElasticSearch, which uses Log4j2, but also wasn't vulnerable because of the Java Security Manager. However there are other related problems, so we've set -Dlog4j2.formatMsgNoLookups=true (which stops them), in ElasticSearch, in this new Ty version. See: https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476