From 622e7cc09709c4e87914772e368c21231bb9f840 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A9gis=20Behmo?= Date: Tue, 4 Jan 2022 15:43:30 +0100 Subject: [PATCH 1/2] security: prevent searching user emails by name (again) This time, the security fix addresses an issue in the logout url. --- CHANGELOG.md | 8 +++++--- tutor/templates/build/openedx/Dockerfile | 4 +++- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f5b7274..61b1542 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,15 +4,17 @@ Note: Breaking changes between versions are indicated by "💥". ## Unreleased -## v13.0.2 +- [Security] Prevent non-staff users from searching usernames by email by abusing the logout url. + +## v13.0.2 (2021-12-22) - [Security] Prevent non-staff users from searching usernames by email. -## v13.0.1 +## v13.0.1 (2021-12-20) - [Fix] Missing requirements file in `pip install tutor[full]`. -## v13.0.0 +## v13.0.0 (2021-12-20) - 💥[Improvement] Upgrade to Maple - Install all official plugins as part of the `tutor[full]` package. diff --git a/tutor/templates/build/openedx/Dockerfile b/tutor/templates/build/openedx/Dockerfile index a5a5c5d..8043853 100644 --- a/tutor/templates/build/openedx/Dockerfile +++ b/tutor/templates/build/openedx/Dockerfile @@ -50,9 +50,11 @@ RUN git fetch --depth=2 https://github.com/regisb/edx-platform 51e0ec3b97ae5badb # Fix forum notification for questions # https://github.com/edx/edx-platform/pull/29611 RUN git fetch --depth=2 https://github.com/open-craft/edx-platform/ 03731f19459e558f188c06aac5cc9ca1bbc675c2 && git cherry-pick 03731f19459e558f188c06aac5cc9ca1bbc675c2 -# Fix email search +# Security fixes: user search by email # https://github.com/overhangio/edx-platform/commit/78da3d86b79e808462b88f219efb90bf8253a5d1 +# https://github.com/overhangio/edx-platform/commit/b63c01fb38a60f4581bdecbc528fa64cc3d3ef0d RUN git fetch --depth=2 https://github.com/overhangio/edx-platform/ 78da3d86b79e808462b88f219efb90bf8253a5d1 && git cherry-pick 78da3d86b79e808462b88f219efb90bf8253a5d1 +RUN git fetch --depth=2 https://github.com/overhangio/edx-platform/ b63c01fb38a60f4581bdecbc528fa64cc3d3ef0d && git cherry-pick b63c01fb38a60f4581bdecbc528fa64cc3d3ef0d {% endif %} {# Example: RUN git fetch --depth=2 https://github.com/edx/edx-platform && git cherry-pick #} From 699ef4c6d58725d2dc6e2a24a89996f6f8f9ec15 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A9gis=20Behmo?= Date: Tue, 4 Jan 2022 15:47:44 +0100 Subject: [PATCH 2/2] security: upgrade django to 3.2.11 in edx-platform See release notes: https://docs.djangoproject.com/en/3.2/releases/3.2.11/ --- CHANGELOG.md | 1 + tutor/templates/build/openedx/Dockerfile | 3 +++ 2 files changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 61b1542..e90aae1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,7 @@ Note: Breaking changes between versions are indicated by "💥". ## Unreleased +- [Security] Upgrade Django to 3.2.11 in edx-platform. - [Security] Prevent non-staff users from searching usernames by email by abusing the logout url. ## v13.0.2 (2021-12-22) diff --git a/tutor/templates/build/openedx/Dockerfile b/tutor/templates/build/openedx/Dockerfile index 8043853..7af5db2 100644 --- a/tutor/templates/build/openedx/Dockerfile +++ b/tutor/templates/build/openedx/Dockerfile @@ -55,6 +55,9 @@ RUN git fetch --depth=2 https://github.com/open-craft/edx-platform/ 03731f19459e # https://github.com/overhangio/edx-platform/commit/b63c01fb38a60f4581bdecbc528fa64cc3d3ef0d RUN git fetch --depth=2 https://github.com/overhangio/edx-platform/ 78da3d86b79e808462b88f219efb90bf8253a5d1 && git cherry-pick 78da3d86b79e808462b88f219efb90bf8253a5d1 RUN git fetch --depth=2 https://github.com/overhangio/edx-platform/ b63c01fb38a60f4581bdecbc528fa64cc3d3ef0d && git cherry-pick b63c01fb38a60f4581bdecbc528fa64cc3d3ef0d +# Upgrade Django to 3.2.11 +# https://github.com/edx/edx-platform/commit/85eb44445b8a6207b967bd4af5666e521a4af9b5 +RUN git fetch --depth=2 https://github.com/edx/edx-platform/ 85eb44445b8a6207b967bd4af5666e521a4af9b5 && git cherry-pick 85eb44445b8a6207b967bd4af5666e521a4af9b5 {% endif %} {# Example: RUN git fetch --depth=2 https://github.com/edx/edx-platform && git cherry-pick #}