From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: <9front-bounces@9front.inri.net> X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-0.6 required=5.0 tests=DKIM_ADSP_CUSTOM_MED, DKIM_INVALID,DKIM_SIGNED,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.4 Received: from 9front.inri.net (9front.inri.net [168.235.81.73]) by inbox.vuxu.org (Postfix) with ESMTP id 26E822BD1D for ; Sat, 24 Aug 2024 21:09:50 +0200 (CEST) Received: from mail-oa1-f53.google.com ([209.85.160.53]) by 9front; Sat Aug 24 15:08:54 -0400 2024 Received: by mail-oa1-f53.google.com with SMTP id 586e51a60fabf-2705d31a35cso2701093fac.0 for <9front@9front.org>; Sat, 24 Aug 2024 12:08:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1724526533; x=1725131333; darn=9front.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=EZNENdOqoLs3IfBTkATWW9dvBXz8oSLzreOeoZnR7XU=; b=SA2G7Pg0MkMyfkpecWLxQWVpsJYCtGSUux1GNJXUjAt4hzYYvVXg0QLWtDoma88PIN uHIN6lpmRXSsk7cSe2Rzfk1fzBFTzFEtDsxAZ10uQiOpWrlZNq+MUHeCpR93MSVBYQ+T ks3SwFsf8WAY659udCn73zgGorDsjXnckgu2bSF6YgL5GzpfuWAp2RRRbM0cjDZpan76 OuAKD/OtHefmuGGVtQJGEjbnpfgSWuAeVmqEmgrTP4EG4b+NeLl+48Br3JZmtQ6jpwFb uVVs8YTqox8Gb5lvABZbn2NXWpAXVoTSGTlLp5W30aeATbIKnBwrehz25rVGxq+eAg8/ CHEA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724526533; x=1725131333; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=EZNENdOqoLs3IfBTkATWW9dvBXz8oSLzreOeoZnR7XU=; b=Z5ZNrrGZ4kaYurWgY/k1H3NzidoX0Y8CacvtqOu6q06aKhiMDC0wxQcSe0TVjP4C8C Od8OM7/bd4S99JN2lddHTeQUO9IrXCTeuZ6MDywuBt4DpRYN+GjBUjX17Ps/btNmTf3R 6qVf1nuw8tUkU2VZ4JaDEO0nTQVL+OY/DjLQjd+vVdmhh8rjKj2I9yqdEkojLexX63x4 xGkP+Z3isqsJm1u7D4bbwiScibcxQtljyYdq2D4zz3z/vYaHNQtV4qzDKuIKOK9wu4cS BChLxAXn8BmXzCG+VxAsyojWNPTqXEvXM70oyg1ja6ThmeNVbE463Mp3CXwpH/D6Wzr5 52fg== X-Gm-Message-State: AOJu0YzynoyWFIqT16fcuPufS2rSrB7rANbHYgqqYK0jPBtVx0snPGlq Kn6nG7N4dDA8ArpCs/TjgtFrkHUv6c0au/tqnwLlLfuvTjVfgAyoJi8HVpVVvCJ243J03glH5HT 3ngsy7zlxeYYltiA43nqvS8UG7yKqehfEKKQ= X-Google-Smtp-Source: AGHT+IGse8A3WoBxdiMvuhcGPS8UGti1ux8ReELLJejHr8VKim+I+34UlemM+79hX3zw+mt8n/JiIfb4bFMyz5rpyVY= X-Received: by 2002:a05:6870:75c5:b0:260:ffaf:8126 with SMTP id 586e51a60fabf-273e63f2137mr7381504fac.9.1724526533284; Sat, 24 Aug 2024 12:08:53 -0700 (PDT) MIME-Version: 1.0 From: hiro <23hiro@gmail.com> Date: Sat, 24 Aug 2024 21:08:42 +0200 Message-ID: To: 9front <9front@9front.org> Content-Type: text/plain; charset="UTF-8" List-ID: <9front.9front.org> List-Help: X-Glyph: ➈ X-Bullshit: general-purpose grid template Subject: [9front] patch your shit Reply-To: 9front@9front.org Precedence: bulk some people did something that increases security apparently. so patch your shit. ref: 07aa9bfeef55ca987d411115adcfbbd4390ecf34 parent: b05c74e7cb160f152e2f2cc2f6e0677763f8d57e author: Jacob Moody date: Sat Aug 24 12:58:31 EDT 2024 lib9p: verify uname against returned AuthInfo from factotum (thanks humm) Before this it was possible to Tauth and Tattach with one user name and then authenticate with factotum using a different user name. To fix this we now ensure that the uname matches the returned cuid from AuthInfo. This security bug is still pending a cute mascot and theme song. mein name ist hase. bye.