[aur-dev] [HEADS-UP] Breaking AUR helpers
Hi! I just wanted to let everybody know that I'm about to apply a patch to our AUR setup that fixes some CSRF vulnerabilities. This will probably break most (all?) AUR helpers (mis)using the AUR HTML interface. AUR helpers, that only make use of the RPC interface, won't be affected. I recommend using the web interface until the affected programs are fixed.
Am 24.06.2012 16:55, schrieb Lukas Fleischer:
Hi!
I just wanted to let everybody know that I'm about to apply a patch to our AUR setup that fixes some CSRF vulnerabilities. This will probably break most (all?) AUR helpers (mis)using the AUR HTML interface. AUR helpers, that only make use of the RPC interface, won't be affected.
I recommend using the web interface until the affected programs are fixed. When will this happen? Shouldn't it be announced on archlinux.org or language specific counterparts?
Regards Stefan
On Sun, Jun 24, 2012 at 06:33:31PM +0200, Stefan Husmann wrote:
Am 24.06.2012 16:55, schrieb Lukas Fleischer:
Hi!
I just wanted to let everybody know that I'm about to apply a patch to our AUR setup that fixes some CSRF vulnerabilities. This will probably break most (all?) AUR helpers (mis)using the AUR HTML interface. AUR helpers, that only make use of the RPC interface, won't be affected.
I recommend using the web interface until the affected programs are fixed. When will this happen? Shouldn't it be announced on archlinux.org or language specific counterparts?
Regards Stefan
It's already happened. Uploaders who don't cope with this will see an error: Invalid token for user action. Yes, it would have been nice to see a little more lead time on this but honestly the change isn't really so severe. d
Am 24.06.2012 18:39, schrieb Dave Reisner:
On Sun, Jun 24, 2012 at 06:33:31PM +0200, Stefan Husmann wrote:
Am 24.06.2012 16:55, schrieb Lukas Fleischer:
Hi!
I just wanted to let everybody know that I'm about to apply a patch to our AUR setup that fixes some CSRF vulnerabilities. This will probably break most (all?) AUR helpers (mis)using the AUR HTML interface. AUR helpers, that only make use of the RPC interface, won't be affected.
I recommend using the web interface until the affected programs are fixed. When will this happen? Shouldn't it be announced on archlinux.org or language specific counterparts?
Regards Stefan
It's already happened. Uploaders who don't cope with this will see an error:
Invalid token for user action.
Yes, it would have been nice to see a little more lead time on this but honestly the change isn't really so severe.
d So I guess, burp's new version already reflects this?
On Sun, Jun 24, 2012 at 06:47:09PM +0200, Stefan Husmann wrote:
Am 24.06.2012 18:39, schrieb Dave Reisner:
On Sun, Jun 24, 2012 at 06:33:31PM +0200, Stefan Husmann wrote:
Am 24.06.2012 16:55, schrieb Lukas Fleischer:
Hi!
I just wanted to let everybody know that I'm about to apply a patch to our AUR setup that fixes some CSRF vulnerabilities. This will probably break most (all?) AUR helpers (mis)using the AUR HTML interface. AUR helpers, that only make use of the RPC interface, won't be affected.
I recommend using the web interface until the affected programs are fixed. When will this happen? Shouldn't it be announced on archlinux.org or language specific counterparts?
Regards Stefan
It's already happened. Uploaders who don't cope with this will see an error:
Invalid token for user action.
Yes, it would have been nice to see a little more lead time on this but honestly the change isn't really so severe.
d So I guess, burp's new version already reflects this?
Yep. 1.6.9 sends the extra authentication token needed for this change.
On Sun, Jun 24, 2012 at 12:39:41PM -0400, Dave Reisner wrote:
On Sun, Jun 24, 2012 at 06:33:31PM +0200, Stefan Husmann wrote:
Am 24.06.2012 16:55, schrieb Lukas Fleischer:
Hi!
I just wanted to let everybody know that I'm about to apply a patch to our AUR setup that fixes some CSRF vulnerabilities. This will probably break most (all?) AUR helpers (mis)using the AUR HTML interface. AUR helpers, that only make use of the RPC interface, won't be affected.
I recommend using the web interface until the affected programs are fixed. When will this happen? Shouldn't it be announced on archlinux.org or language specific counterparts?
Regards Stefan
It's already happened. Uploaders who don't cope with this will see an error:
Invalid token for user action.
Yes, it would have been nice to see a little more lead time on this but honestly the change isn't really so severe.
Explaining the situation and the exact changes would have disclosed the vulnerability and we would have had a unpatched and publicly announced security flaw for some days. Given that AUR helpers are completely unsupported (especially the helpers that use the HTML interface) and given my lack of time, I didn't look for all popular helpers and inform the particular maintainers. I'll try to do better next time.
d
participants (3)
-
Dave Reisner
-
Lukas Fleischer
-
Stefan Husmann