From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from korolev.univ-paris7.fr (korolev.univ-paris7.fr [IPv6:2001:660:3301:8000::1:2]) by mail.toke.dk (Postfix) with ESMTPS id B43C1AD5CEF for ; Sat, 18 Jan 2025 16:56:05 +0100 (CET) Authentication-Results: mail.toke.dk; dkim=pass (2048-bit key; unprotected) header.d=irif.fr header.i=@irif.fr header.a=rsa-sha256 header.s=dkim-irif header.b=YNCwF7AJ Received: from potemkin.univ-paris7.fr (potemkin.univ-paris7.fr [IPv6:2001:660:3301:8000::1:1]) by korolev.univ-paris7.fr (8.14.4/8.14.4/relay1/82085) with ESMTP id 50IFu5m2006855 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Sat, 18 Jan 2025 16:56:05 +0100 Received: from mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [81.194.30.253]) by potemkin.univ-paris7.fr (8.14.4/8.14.4/relay2/82085) with ESMTP id 50IFu5wC006368 for ; Sat, 18 Jan 2025 16:56:05 +0100 Received: from mailhub.math.univ-paris-diderot.fr (localhost [127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTP id 13F35A0DEA for ; Sat, 18 Jan 2025 16:56:05 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=irif.fr; h= content-type:content-type:mime-version:user-agent:subject :subject:from:from:message-id:date:date:received:received; s= dkim-irif; t=1737215764; x=1738079765; bh=4TAdig14cqFIa4yjv7GXea 9CDEVZBt9mOclFXOv78SI=; b=YNCwF7AJSoX6ixxozspfXIHLK0Kpl5UYN+jTOD xfVc7zEitBgC3nFWWfxCkTUkb1vOsS2SptQFU+Hng75l+ftqhVmRv4USn1kShdgo LVshGnGwjoTQycpZp19mHNsL+/jK3QqhaZy7xZp9FhHR5f65A78SmhUiZaUc47Ex 4fmaAq1e0BiqAOtXNhI98t+H77DcJUxJkobc7tX097rT2jDbeDsfGZgVTaPgvHaA MLFyffadWZzj62z2JhlBUihHDV4OXe1Y5Lf5n/V+/6NQrL47QvrjIIAVBuwj032s sYhK+9Osxveu9UUhiSPZ7irvYZxuJjgCdXZkdBXrm0zoiVXA== X-Virus-Scanned: amavisd-new at math.univ-paris-diderot.fr Received: from mailhub.math.univ-paris-diderot.fr ([127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [127.0.0.1]) (amavisd-new, port 10023) with ESMTP id CFpAt50ynBSm for ; Sat, 18 Jan 2025 16:56:04 +0100 (CET) Received: from pirx.irif.fr (89-64-69-77.dynamic.chello.pl [89.64.69.77]) (Authenticated sender: jch) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTPSA id D34C6A0FB1 for ; Sat, 18 Jan 2025 16:56:03 +0100 (CET) Date: Sat, 18 Jan 2025 16:56:02 +0100 Message-ID: <87y0z8yv3h.wl-jch@irif.fr> From: Juliusz Chroboczek To: galene@lists.galene.org User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/29.4 Mule/6.0 MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue") Content-Type: text/plain; charset=US-ASCII X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (korolev.univ-paris7.fr [IPv6:2001:660:3301:8000::1:2]); Sat, 18 Jan 2025 16:56:05 +0100 (CET) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (potemkin.univ-paris7.fr [194.254.61.141]); Sat, 18 Jan 2025 16:56:05 +0100 (CET) X-Miltered: at korolev with ID 678BCF15.000 by Joe's j-chkmail (http : // j-chkmail dot ensmp dot fr)! X-Miltered: at potemkin with ID 678BCF15.000 by Joe's j-chkmail (http : // j-chkmail dot ensmp dot fr)! X-j-chkmail-Enveloppe: 678BCF15.000 from potemkin.univ-paris7.fr/potemkin.univ-paris7.fr/null/potemkin.univ-paris7.fr/ X-j-chkmail-Enveloppe: 678BCF15.000 from mailhub.math.univ-paris-diderot.fr/mailhub.math.univ-paris-diderot.fr/null/mailhub.math.univ-paris-diderot.fr/ X-j-chkmail-Score: MSGID : 678BCF15.000 on korolev.univ-paris7.fr : j-chkmail score : . : R=. U=. O=. B=0.000 -> S=0.000 X-j-chkmail-Score: MSGID : 678BCF15.000 on potemkin.univ-paris7.fr : j-chkmail score : . : R=. U=. O=. B=0.000 -> S=0.000 X-j-chkmail-Status: Ham X-j-chkmail-Status: Ham Message-ID-Hash: ZUYUMYOMR2MI6VOSOGEUWIESH3IS5OPF X-Message-ID-Hash: ZUYUMYOMR2MI6VOSOGEUWIESH3IS5OPF X-MailFrom: jch@irif.fr X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list Subject: [Galene] ANNOUNCE: galene-0.96.1 List-Id: =?utf-8?q?Gal=C3=A8ne_videoconferencing_server_discussion_list?= Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Dear all, Galene 0.96.1 is available by doing git clone -b galene-0.96.1 https://github.com/jech/galene This release fixes a rather nasty but thankfully difficult to exploit security vulnerability. There's no need to panic, but upgrading is recommended. Galene is currently undergoing a security audit by Stefan Vinck of Radically Open Security, funded by NLnet. While the security audit is not finished yet, it has already unconvered a path traversal issue in the disk writer. Fortunately, the issue is only exploitable under fairly specific conditions: - you have enabled recording to disk; - you have given Op permissions to the wildcard user. An additional mitigating factor is that Galene does not normally need to run as root, so the path vulnerability is limited to files the Galene user has write access to. This version also implements some minor changes to the user interface, please see the attached changelog. There are two minor incompatibilities with previous versions, backslashes are no longer allowed in group names, and the pattern "/." is no longer allowed in usernames. You may expect a new release soon after the security audit is completed. -- Juliusz Chroboczek 18 January 2025: Galene 0.96.1 * Avoid path traversal in disk writer. * Forbid backslashes in group names on all systesm (we used to only forbid them on Windows). This is an incompatible change. * Minor restrictions on usernames: forbid usernames starting with a slash, forbid usernames containing the string "/.", and forbid backslashes. This is an incompatible change. * Ensure cleartext passwords are veryfied in constant time. * Remove "data:" from allowed image sources in CSP header. * Disable the unmute button before presenting. Thanks to Sacha Chua. * Fix PCMA audio (don't ask). * Update fontawesome to version 6.7.2. * Delay requesting microphone permissions on Safari until after successful login.