Security vulnerability

NULL_BYTE · June 11, 2024, 10:07pm

hey guys ,
i found many vulnerability in lucee server source and i sent report their github page after 2 month they dont response ! why ?

andreas · June 12, 2024, 4:53am

What do you mean exactly by

They have a dedicated email address for security issues specified on the security section, and I know they take security reports very seriously (as they have shown in the past discoveries). But I don’t know how to send reports to guthub.

gunnar.lieb · June 12, 2024, 10:17am

As Andreas mentioned it be good to know where you have sent it exactly to. Tomorrow CFcamp conference will start and if we could get more information we could ask the guys directly

andreas · June 12, 2024, 4:50pm

Are you also going to be there @gunnar.lieb ? I’m on my way.

NULL_BYTE · June 13, 2024, 12:18am

i sent reports to their github

NULL_BYTE · June 13, 2024, 12:20am

https://github.com/lucee/Lucee/security/advisories/GHSA-j7g6-48p5-q9hq
https://github.com/lucee/Lucee/security/advisories/GHSA-3x57-5p9g-v888

gunnar.lieb · June 13, 2024, 9:19am

Yes. @NULL_BYTE I will check

NULL_BYTE · June 13, 2024, 12:02pm

thanks

gunnar.lieb · June 13, 2024, 10:40pm

I had a quick chat today, according to Zak and Micha from Lucee, the issues will be fixed with the next stable release and then published. I don’t know why there was no response to you. I think this should have been handled better.

NULL_BYTE · June 14, 2024, 1:55pm

hmm thanks , but they dont triage and accept issues , idk why , btw thanks

Miguel-F · June 14, 2024, 3:01pm

Unfortunately communications from the Lucee team has been almost nonexistent lately. I’m sure they are busy and we all appreciate that but it would be nice to hear from them every once in a while on what is going on.

andreas · June 14, 2024, 3:11pm

Just posting “live” to you all from cfcamp2024 in Munich. The Lucee Team is more alive than ever! They had lots of stuff, merged lots of open PR, and are now supporting the Websocket Extension… @ajmercer did an awesome live session showing them in action! Some really cool presentations and seeing @Zackster was super!!! Meeting others like @gunnar.lieb was also great! Ahhh …Looks like the Websocket Extension is moving from Beta to RC these days, if it didn’t happen already! this CFCAMP was AWESOME!!!

Again, they need our Help for community stuff! Keep an eye on the github merges and Jira as well, so you’ll see their continuous, almost daily work!

Feels great to see the work going on!

andreas · June 14, 2024, 3:24pm

Ahhh, besides… even this not beeing an ACF forum and a little offtopic… this is somehow cfml related: it was really great to also see Adobe and Mark Takata showing up with commitment to the CFML-community outside the US. It was a really nice CFML event.

Additionally thanks @bennadel for the awesome gift of your cool “Feature Flags” book. We missed you here a lot, and we’ll hopefully have some German selters here with you next year

bennadel · June 16, 2024, 9:45am

I really hope you enjoy it! And huge thanks to @agentK and @madmike_de for including me in the festivities

madmike_de · June 16, 2024, 10:53am

We have to say thank you for letting us print this awesome present!