This afternoon (16h20 CET) a user of Indefero found a security vulnerability in Indefero. This vulnerability affects all the release of Indefero up to 0.8.9, release 0.8.10 (released less than 1h30 after the report of the vulnerability) provides a fix.
The vulnerability is in the git serving component. If a project is marked as private and the source available in read only to extra users, other users of the forge with a valid SSH key can have access to the project in read only mode if they know the short name of the project. In the case of the hosted offer, a user from another forge could not access the projects of your forge, the vulnerability was isolated at the forge level.
If you are using the hosted offer, the issue has already been fixed. If you have your own version of Indefero, here are the three possible ways to fix the vulnerability:
- Upgrade to the latest 0.8.10 (recommended).
- Patch the code with the following patch.
- If you cannot update your code right now, change the access right in the source tab to "members or admin". You lose the read only access to the extra authorized users, but you fix the issue.
I am really sorry for this vulnerability, if you have any questions, do not hesitate to contact me through the mailing list or directly.