From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: mail.toke.dk; spf=pass (mailfrom) smtp.mailfrom=irif.fr (client-ip=2001:660:3301:8000::1:2; helo=korolev.univ-paris7.fr; envelope-from=jch@irif.fr; receiver=) Authentication-Results: mail.toke.dk; dkim=pass (2048-bit key; unprotected) header.d=irif.fr header.i=@irif.fr header.a=rsa-sha256 header.s=dkim-irif header.b=Khp/Fxum Received: from korolev.univ-paris7.fr (korolev.univ-paris7.fr [IPv6:2001:660:3301:8000::1:2]) by mail.toke.dk (Postfix) with ESMTPS id F3965B4FCAF for ; Tue, 10 Jun 2025 22:33:46 +0200 (CEST) Received: from mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [81.194.30.253]) by korolev.univ-paris7.fr (8.14.4/8.14.4/relay1/82085) with ESMTP id 55AKXkrg006704 for ; Tue, 10 Jun 2025 22:33:46 +0200 Received: from mailhub.math.univ-paris-diderot.fr (localhost [127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTP id 673B023A7F for ; Tue, 10 Jun 2025 22:33:46 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=irif.fr; h= content-type:content-type:mime-version:user-agent:subject :subject:from:from:message-id:date:date:received:received; s= dkim-irif; t=1749587624; x=1750451625; bh=vpBA2LOFVAOvtJRwdbo20u 0MwRE0PwO8HVGfGTNRL3g=; b=Khp/FxumRAKs78UZ6fD9lD/wCeUVOkAclA5JUN Nq7hSfSQT22eqiBDmTihTDeg2nHpe06UpIPR0+KgE0fbDToCVDgapDjLe78brFXN Sl7XeIpHiyTrcx11MqHdGXltQcRW0TcJRHyVEH5zcbba7UuesXrBYxKRtwmMU0FZ zs8I0IZHjXtm5xsQiFwI7/zXigScS2LZ6y+R274REyJFVg+rPNhJbEqsD/zPo4k1 s5UWvrdJB7e96K8UORYtvGf5Go7QyRD7ihJakSqQh7TM8xAcKAok9ae8uHUeO1FD XoWIDi2IbSc7HJ2hfqPkQWh7EflSFkC8luuReqkdYkUymGOg== X-Virus-Scanned: amavisd-new at math.univ-paris-diderot.fr Received: from mailhub.math.univ-paris-diderot.fr ([127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [127.0.0.1]) (amavisd-new, port 10023) with ESMTP id 0Un1vThewm-0 for ; Tue, 10 Jun 2025 22:33:44 +0200 (CEST) Received: from pirx.irif.fr (unknown [89.64.69.143]) (Authenticated sender: jch) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTPSA id C890523DC3 for ; Tue, 10 Jun 2025 22:33:44 +0200 (CEST) Date: Tue, 10 Jun 2025 22:33:43 +0200 Message-ID: <875xh3nxp4.wl-jch@irif.fr> From: Juliusz Chroboczek To: galene@lists.galene.org User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/30.1 Mule/6.0 MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue") Content-Type: text/plain; charset=US-ASCII X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (korolev.univ-paris7.fr [194.254.61.138]); Tue, 10 Jun 2025 22:33:46 +0200 (CEST) X-Miltered: at korolev with ID 684896AA.000 by Joe's j-chkmail (http : // j-chkmail dot ensmp dot fr)! X-j-chkmail-Enveloppe: 684896AA.000 from mailhub.math.univ-paris-diderot.fr/mailhub.math.univ-paris-diderot.fr/null/mailhub.math.univ-paris-diderot.fr/ X-j-chkmail-Score: MSGID : 684896AA.000 on korolev.univ-paris7.fr : j-chkmail score : . : R=. U=. O=. B=0.000 -> S=0.000 X-j-chkmail-Status: Ham Message-ID-Hash: BYZF4J4Y74IYGLBEPRTSMSF3I4WTSWWD X-Message-ID-Hash: BYZF4J4Y74IYGLBEPRTSMSF3I4WTSWWD X-MailFrom: jch@irif.fr X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list Subject: [Galene] Galene security review List-Id: =?utf-8?q?Gal=C3=A8ne_videoconferencing_server_discussion_list?= Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Hi, Back in January, Galene underwent a security review by Sven Vink of Radically Open Security, funded by NLnet. It was very interesting, we had some very interesting chats with the reviewer, and I learned a lot. The document is here: https://galene.org/NGICore%20Galene%20penetration%20test%20report%202025%201.0.pdf The summary is on page 5: > During this crystal-box penetration test we found 7 Moderate and > 5 Low-severity issues. The bad news are the path traversal issues; as a mitigating factor, they're only exposed to privileged users (you need to have the "record" permissions). They have been fixed in Galene back in January. Most issues found by the review were fixed in Galene 0.96.2. Exceptions: * password policy: Galene accepts weak passwords by design: I find it convenient to organise meetings with a password that can easily be dictated on the phone, especially when the meetings are not confidential; * HSTS (security headers): this complicates administration, and is therefore at odds with the goals of Galene; * protection against brute force attacks and disk space exhaustion; * insufficient logging. Thanks to Sven Vink for his work and the interesting chats, and to NLnet for funding the review. -- Juliusz