Kallithea 0.3.5 released (security release)

Thomas De Schampheleire patrickdepinguin at gmail.com
Wed Jun 6 22:03:35 UTC 2018 

Hello everyone,

A new stable bugfix release of Kallithea, 0.3.5, has just been released.
This release fixes four serious security issues (highlighted below). There are
no other changes in this release.

Users should update their Kallithea instances as soon as possible to release
0.3.5. Users that are following the 'default' development branch (instead of
official releases) should update to the latest revision.

To detect a possible breach, administrators should verify the permissions inside
Kallithea of all existing repositories, the presence of unexpected newly created
repositories and repository groups inside Kallithea, and the presence of newly
created repositories on the filesystem outside of the configured Kallithea
repository root.

All the security issues below were found and reported by:

    Kacper Szurek (https://security.szurek.pl/).

Many thanks to Kacper for these reports.

1. This vulnerability allows a normal user to modify the permissions
   of repositories they do not normally have access to. This allows the
   user to get full admin access to the repository.
   Vulnerability type: incorrect access control.

2. This vulnerability allows a normal user to access the contents of
   repositories they do not normally have access to.
   Vulnerability type: incorrect access control.

3. This vulnerability allows a normal user to clone a repository to a filesystem
   path outside the Kallithea repository root.
   Vulnerability type: directory traversal

4. This vulnerability allows a normal user to inject code into pages
   viewable by other users/visitors of Kallithea (XSS).
   Vulnerability type: cross-site scripting (XSS)


As always, the release is available from PyPi:
https://files.pythonhosted.org/packages/source/K/Kallithea/Kallithea-0.3.5.tar.gz
(sha256: 4b598546494a3b68a5a7ff40b313606dc5de14e8eeb351b8a6adafc68631f729)

The above announcement is also available on the website:
https://kallithea-scm.org/news/release-0.3.5.html

Best regards,
Thomas

More information about the kallithea-general mailing list