Galène videoconferencing server discussion list archives
 help / color / mirror / Atom feed
* [Galene] ANNOUNCE: galene-0.96.1
@ 2025-01-18 15:56 Juliusz Chroboczek
  0 siblings, 0 replies; only message in thread
From: Juliusz Chroboczek @ 2025-01-18 15:56 UTC (permalink / raw)
  To: galene

Dear all,

Galene 0.96.1 is available by doing

    git clone -b galene-0.96.1 https://github.com/jech/galene

This release fixes a rather nasty but thankfully difficult to exploit
security vulnerability.  There's no need to panic, but upgrading is
recommended.

Galene is currently undergoing a security audit by Stefan Vinck of
Radically Open Security, funded by NLnet.  While the security audit is not
finished yet, it has already unconvered a path traversal issue in the disk
writer.

Fortunately, the issue is only exploitable under fairly specific conditions:

  - you have enabled recording to disk;
  - you have given Op permissions to the wildcard user.

An additional mitigating factor is that Galene does not normally need to
run as root, so the path vulnerability is limited to files the Galene user
has write access to.

This version also implements some minor changes to the user interface,
please see the attached changelog.  There are two minor incompatibilities
with previous versions, backslashes are no longer allowed in group names,
and the pattern "/." is no longer allowed in usernames.

You may expect a new release soon after the security audit is completed.

-- Juliusz Chroboczek

18 January 2025: Galene 0.96.1

  * Avoid path traversal in disk writer.
  * Forbid backslashes in group names on all systesm (we used to only
    forbid them on Windows).  This is an incompatible change.
  * Minor restrictions on usernames: forbid usernames starting with
    a slash, forbid usernames containing the string "/.", and forbid
    backslashes.  This is an incompatible change.
  * Ensure cleartext passwords are veryfied in constant time.
  * Remove "data:" from allowed image sources in CSP header.
  * Disable the unmute button before presenting.  Thanks to Sacha Chua.
  * Fix PCMA audio (don't ask).
  * Update fontawesome to version 6.7.2.
  * Delay requesting microphone permissions on Safari until after
    successful login.

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2025-01-18 15:56 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-01-18 15:56 [Galene] ANNOUNCE: galene-0.96.1 Juliusz Chroboczek

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox