[Galene] ANNOUNCE: galene-0.96.1

Galène videoconferencing server discussion list archives
 help / color / mirror / Atom feed

From: Juliusz Chroboczek <jch@irif.fr>
To: galene@lists.galene.org
Subject: [Galene] ANNOUNCE: galene-0.96.1
Date: Sat, 18 Jan 2025 16:56:02 +0100	[thread overview]
Message-ID: <87y0z8yv3h.wl-jch@irif.fr> (raw)

Dear all,

Galene 0.96.1 is available by doing

    git clone -b galene-0.96.1 https://github.com/jech/galene

This release fixes a rather nasty but thankfully difficult to exploit
security vulnerability.  There's no need to panic, but upgrading is
recommended.

Galene is currently undergoing a security audit by Stefan Vinck of
Radically Open Security, funded by NLnet.  While the security audit is not
finished yet, it has already unconvered a path traversal issue in the disk
writer.

Fortunately, the issue is only exploitable under fairly specific conditions:

  - you have enabled recording to disk;
  - you have given Op permissions to the wildcard user.

An additional mitigating factor is that Galene does not normally need to
run as root, so the path vulnerability is limited to files the Galene user
has write access to.

This version also implements some minor changes to the user interface,
please see the attached changelog.  There are two minor incompatibilities
with previous versions, backslashes are no longer allowed in group names,
and the pattern "/." is no longer allowed in usernames.

You may expect a new release soon after the security audit is completed.

-- Juliusz Chroboczek

18 January 2025: Galene 0.96.1

  * Avoid path traversal in disk writer.
  * Forbid backslashes in group names on all systesm (we used to only
    forbid them on Windows).  This is an incompatible change.
  * Minor restrictions on usernames: forbid usernames starting with
    a slash, forbid usernames containing the string "/.", and forbid
    backslashes.  This is an incompatible change.
  * Ensure cleartext passwords are veryfied in constant time.
  * Remove "data:" from allowed image sources in CSP header.
  * Disable the unmute button before presenting.  Thanks to Sacha Chua.
  * Fix PCMA audio (don't ask).
  * Update fontawesome to version 6.7.2.
  * Delay requesting microphone permissions on Safari until after
    successful login.

                 reply	other threads:[~2025-01-18 15:56 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://lists.galene.org/postorius/lists/galene.lists.galene.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87y0z8yv3h.wl-jch@irif.fr \
    --to=jch@irif.fr \
    --cc=galene@lists.galene.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox