* [Galene] Galene security review
@ 2025-06-10 20:33 Juliusz Chroboczek
0 siblings, 0 replies; only message in thread
From: Juliusz Chroboczek @ 2025-06-10 20:33 UTC (permalink / raw)
To: galene
Hi,
Back in January, Galene underwent a security review by Sven Vink of
Radically Open Security, funded by NLnet. It was very interesting, we had
some very interesting chats with the reviewer, and I learned a lot.
The document is here:
https://galene.org/NGICore%20Galene%20penetration%20test%20report%202025%201.0.pdf
The summary is on page 5:
> During this crystal-box penetration test we found 7 Moderate and
> 5 Low-severity issues.
The bad news are the path traversal issues; as a mitigating factor,
they're only exposed to privileged users (you need to have the "record"
permissions). They have been fixed in Galene back in January.
Most issues found by the review were fixed in Galene 0.96.2. Exceptions:
* password policy: Galene accepts weak passwords by design: I find it
convenient to organise meetings with a password that can easily be
dictated on the phone, especially when the meetings are not confidential;
* HSTS (security headers): this complicates administration, and is
therefore at odds with the goals of Galene;
* protection against brute force attacks and disk space exhaustion;
* insufficient logging.
Thanks to Sven Vink for his work and the interesting chats, and to NLnet
for funding the review.
-- Juliusz
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2025-06-10 20:33 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-06-10 20:33 [Galene] Galene security review Juliusz Chroboczek
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox