Hi,
I received an email informing us of a vulnerability found in the version of OJS 3.3.0.13 that we have installed. I want to validate with you if it is true that this vulnerability is occurring in these versions, since something very similar happened to us with our platform. If so, I would like you to share the security patches, if they exist, to apply to my installation, since at this time we have no update plans.
The following is the link that they sent us in the email and which explains the vulnerability of version 3.3.0.13 of the OJS platform.
Regards,
1 Like
Hi @diegomejia07,
Looking at this post and the timeline around it, it looks as though these issues were addressed in 3.3.0-18, which was announced a few months back: OJS, OMP, and OPS 3.3.0-18 and 3.4.0-6 released @asmecher can confirm?
Monitoring for more recent releases, especially those that contain security fixes, and upgrading is always highly recommend.
-Roger
PKP Team
Hi @diegomejia07 / @rcgillis,
I can confirm that these issues are resolved in later releases of 3.3.0-x. Attempting to list off the patches that were applied is risky, as I recall a number of XSS issues being fixed around that time, and I’d be likely to miss one. Therefore I’d recommend just upgrading. If the database upgrade process is something you don’t want to do now, note that builds within a line of releases are database-compatible – for example, 3.3.0-13 and 3.3.0-18 are database compatible. Therefore you can simply use the latest 3.3.0-x code with your existing database etc., and not worry about running the upgrade script.
Regards,
Alec Smecher
Public Knowledge Project Team
2 Likes
Thank you very much for the response @asmecher and @rcgillis.
As I understand it, I can deploy the version 3.3.0.18 installation files into my OJS 3.3.0.13, without updating the database. Wouldn’t there be any problem?
Hi @diegomejia07,
That’s correct. OJS will still report the old version, since the database hasn’t been updated, but you won’t encounter any problems.
As always, though, make sure to take a complete backup beforehand.
Regards,
Alec Smecher
Public Knowledge Project Team
Hello all,
First of all we would like to say thank you very much for the quick response given by Alex in responding to our report in August regarding this security vulnerabilities issue. We are grateful that this problem can be resolved properly with the release of the latest version of OJS at that time (OJS 3.3.0-18 or 3.3.0.19) as previously mentioned.
We initiated the broadcast email based on the discovery of a security vulnerability issue that we found previously, then we quickly reported this to Alec earlier and he responded to our message quickly. In addition, we also created this broadcast with the aim of making OJS users more aware of technical problems like this. So that they can use OJS smoothly and of course safely.
Regards,
Almadani
OJT Team
