Bugtracker recent changes

Have some feature requests, feedback, cool stuff to share, or want to know where FreeCAD is going? This is the place.
Forum rules
Be nice to others! Read the FreeCAD code of conduct!
User avatar
kkremitzki
Veteran
Posts: 2511
Joined: Thu Mar 03, 2016 9:52 pm
Location: Illinois

Re: Bugtracker recent changes

Post by kkremitzki »

Kunda1 wrote:
kkremitzki wrote:The backup I grabbed today of the tracker is live in my staging environment and can be browsed (for the time being) if anyone wants to see stuff in the 3/29-4/25 window:
https://freecad.io/tracker/my_view_page.php
thanks for all the work! FYI the URL is unreachable.
PS hope finals went well for you
Thanks for letting me know, I didn't realize because it was working inside my LAN. It should be fixed now.
Like my FreeCAD work? I'd appreciate any level of support via Patreon, Liberapay, or PayPal! Read more about what I do at my blog.
User avatar
Kunda1
Veteran
Posts: 13434
Joined: Thu Jan 05, 2017 9:03 pm

Re: Bugtracker recent changes

Post by Kunda1 »

kkremitzki wrote:The backup I grabbed today of the tracker is live in my staging environment and can be browsed (for the time being) if anyone wants to see stuff in the 3/29-4/25 window:
https://freecad.io/tracker/my_view_page.php
so what is the best way to go about fixing this?
I've gone in and manually changed/resolved/closed some tickets already. Is that ok?
Alone you go faster. Together we go farther
Please mark thread [Solved]
Want to contribute back to FC? Checkout:
'good first issues' | Open TODOs and FIXMEs | How to Help FreeCAD | How to report Bugs
User avatar
kkremitzki
Veteran
Posts: 2511
Joined: Thu Mar 03, 2016 9:52 pm
Location: Illinois

Re: Bugtracker recent changes

Post by kkremitzki »

Kunda1 wrote:
kkremitzki wrote:The backup I grabbed today of the tracker is live in my staging environment and can be browsed (for the time being) if anyone wants to see stuff in the 3/29-4/25 window:
https://freecad.io/tracker/my_view_page.php
so what is the best way to go about fixing this?
I've gone in and manually changed/resolved/closed some tickets already. Is that ok?
First off, thanks a ton for jumping in and helping!

IMO the most important thing is that any bugs that were opened previously be recreated if possible and their reporter pinged in the comments. (I had an idea on how to add the "@user" functionality to the forums btw, just gotta find some time to test it! 8-) ) Unfortunately some newcomers' accounts might be lost. If someone went to the trouble of reporting an issue to us once though that info should be retained--if you can scroll through the history and take a shot at that, I'd say that's good enough.
Like my FreeCAD work? I'd appreciate any level of support via Patreon, Liberapay, or PayPal! Read more about what I do at my blog.
triplus
Veteran
Posts: 9471
Joined: Mon Dec 12, 2011 4:45 pm

Re: Bugtracker recent changes

Post by triplus »

Are passwords saved in the backup and they get restored from the backup? As if that happens and the breach happened i feel that attacker has the password of all the users. Especially the users with some administration powers therefore must change the password in some coordinated way. For the attacker not to have access to them in the time between individual users with administration powers change their passwords.

As i see that Jrigel account was disabled and the Arch subproject got deleted after. That comes down to one of the users with such powers on the issue tracker didn't change the password yet, there is a new user hidden somewhere or the attacker just got the new password by logging in with a password of another administrator.
User avatar
yorik
Founder
Posts: 13640
Joined: Tue Feb 17, 2009 9:16 pm
Location: Brussels
Contact:

Re: Bugtracker recent changes

Post by yorik »

Thanks for the repair job guys! I think what you're doing is fine @Kunda1, it doesn't seems a big deal if the "re-added" things are a bit different from the original...
kkremitzki wrote:I had an idea on how to add the "@user" functionality to the forums btw, just gotta find some time to test it! 8-)
Wow, I'd be curious to see that :) Have you seen that there is a mention addon being worked on, that will be for the next version of phpBB? https://www.phpbb.com/community/viewtop ... &t=2393186
User avatar
Kunda1
Veteran
Posts: 13434
Joined: Thu Jan 05, 2017 9:03 pm

Re: Bugtracker recent changes

Post by Kunda1 »

Is it possible to update the mantis minor version?
Also as triplus mentioned is there a way to prompt all users to reset their passwords?
Alone you go faster. Together we go farther
Please mark thread [Solved]
Want to contribute back to FC? Checkout:
'good first issues' | Open TODOs and FIXMEs | How to Help FreeCAD | How to report Bugs
User avatar
kkremitzki
Veteran
Posts: 2511
Joined: Thu Mar 03, 2016 9:52 pm
Location: Illinois

Re: Bugtracker recent changes

Post by kkremitzki »

Kunda1 wrote:Is it possible to update the mantis minor version?
Yes, I manually applied the bugfix that makes up the 5.3.1 change, so the 5.3.0 tag is just cosmetic--I'll do the actual upgrade shortly.
Also as triplus mentioned is there a way to prompt all users to reset their passwords?
Well, for one, the vulnerability did not expose user passwords, although emails were visible. Since there are no private messages or anything on MantisBT, the emails are the only info that could have leaked. I went through the admin interface to see what else can be seen--not much. However, I do believe there is a plugin to do "announcements" on MantisBT. I just have never tested it.
Like my FreeCAD work? I'd appreciate any level of support via Patreon, Liberapay, or PayPal! Read more about what I do at my blog.
triplus
Veteran
Posts: 9471
Joined: Mon Dec 12, 2011 4:45 pm

Re: Bugtracker recent changes

Post by triplus »

OK therefore critical security issue was fixed (as we use 2.3.1). Attacker shouldn't be able to reset passwords remotely any more. As administrators don't have access to other user/administrator passwords? Then i guess we need to assume attacker has password of one of the administrator accounts as Jrigel account was disabled and the Arch subproject got deleted after. Sorting this out first therefore likely makes sense. First for all the users that have some administration power to change their password (or if the account is inactive to disable it for now).

P.S. But if the attacker did exploit the mentioned vulnerability i am guessing the administrator using that account would know that? As login procedure wouldn't work anymore due to changed password?
User avatar
Kunda1
Veteran
Posts: 13434
Joined: Thu Jan 05, 2017 9:03 pm

Re: Bugtracker recent changes

Post by Kunda1 »

Idea: on freecad.io I can tag all the tickets from the date the event happened till the most recent ticket in order to organize a list. Them I can close/or even delete the tickets on freecad.io that have been updated on freecadweb.org to keep track of progress. Or instead of closing tickets I could tag them as completed... not sure yet.
Alone you go faster. Together we go farther
Please mark thread [Solved]
Want to contribute back to FC? Checkout:
'good first issues' | Open TODOs and FIXMEs | How to Help FreeCAD | How to report Bugs
User avatar
Kunda1
Veteran
Posts: 13434
Joined: Thu Jan 05, 2017 9:03 pm

Re: Bugtracker recent changes

Post by Kunda1 »

kkremitzki wrote:
Kunda1 wrote:Is it possible to update the mantis minor version?
Yes, I manually applied the bugfix that makes up the 5.3.1 change, so the 5.3.0 tag is just cosmetic--I'll do the actual upgrade shortly
Sweet. The upgrade will be for 2.3.2 right? Since it takes care of https://www.mantisbt.org/bugs/view.php?id=22742

Also, any possibility to sync source-integration change set with git repo? I know that's a PITA but it would make triaging much faster since I can attach commits to tickets no problem.
Alone you go faster. Together we go farther
Please mark thread [Solved]
Want to contribute back to FC? Checkout:
'good first issues' | Open TODOs and FIXMEs | How to Help FreeCAD | How to report Bugs
Post Reply