Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix potential code injection on MAC address validator #1165

Merged
merged 1 commit into from
Feb 18, 2020
Merged

Fix potential code injection on MAC address validator #1165

merged 1 commit into from
Feb 18, 2020

Conversation

PromoFaux
Copy link
Member

By submitting this pull request, I confirm the following:

  • I have read and understood the contributors guide, as well as this entire template.
  • I have made only one major change in my proposed changes.
  • I have commented my proposed changes within the code.
  • I have tested my proposed changes, and have included unit tests where possible.
  • I am willing to help maintain this change if there are issues with it later.
  • I give this submission freely and claim no ownership.
  • It is compatible with the EUPL 1.2 license
  • I have squashed any insignificant commits. (git rebase)

This is already fixed in release/v5.0, but pending that actually being pushed to master/released any time soon (though hopefully sooner rather than later)

I am proposing a 4.3.3 on the Web interface as an interim release.

Currently, I would say that this exploit is low risk, as it first requires an authenticated user to be logged into the web interface, really the most damage that can be done here is an admin messing up their own system.

@PromoFaux PromoFaux mentioned this pull request Feb 18, 2020
Closed
8 tasks
@PromoFaux PromoFaux merged commit 62f2ffc into master Feb 18, 2020
@PromoFaux
Copy link
Member Author

Thanks to @nate-red for pointing this out to us

@pralor-bot
Copy link

This pull request has been mentioned on Pi-hole Userspace. There might be relevant details there:

https://discourse.pi-hole.net/t/update-webinterface/28526/5

@iasdeoupxe
Copy link

CVE-2020-8816 seems got assigned for this issue:

https://natedotred.wordpress.com/2020/03/28/cve-2020-8816-pi-hole-remote-code-execution/

@DL6ER DL6ER deleted the release/v4.3.3 branch September 10, 2021 06:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dschaper dschaper dschaper approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@PromoFaux @pralor-bot @iasdeoupxe @dschaper