Luke 37099 Posted August 1, 2023 Share Posted August 1, 2023 6 hours ago, rbjtech said: @LukeDo you have a better ETA than 'coming soon' - as that could be next week or it could be next year ... This month or next month would suffice .. thanks. Trying to get a new build out any day now. 1 Link to comment Share on other sites More sharing options...
thornbill 6 Posted March 6 Share Posted March 6 On 6/21/2023 at 5:38 AM, softworkz said: Amendment to section 1.3.1-2 The reason for postponing the disclosure of the mentioned vulnerability is that there is still a number of Emby Servers online where users haven't updated yet. As long as that is the case, we will not disclose the vulnerability. Has the additional vulnerability ever been disclosed? Link to comment Share on other sites More sharing options...
Luke 37099 Posted March 6 Share Posted March 6 7 minutes ago, thornbill said: Has the additional vulnerability ever been disclosed? Hi, what do you mean by additional? Link to comment Share on other sites More sharing options...
thornbill 6 Posted March 6 Share Posted March 6 16 hours ago, Luke said: Hi, what do you mean by additional? In section 1.3.1 two vulnerabilities are listed, but it does not seem like the second was ever disclosed: Quote Eventually, two possible exploitation methods could be identified: Quote 2 Undisclosed Vulnerability It had turned out later that this wasn’t used in any case of the incident under investigation Disclosure has been postponed This vulnerability has been fixed already in a. Stable versions >= 4.7.13 b. Beta versions >= 4.8.36 Link to comment Share on other sites More sharing options...
softworkz 3338 Posted March 11 Author Share Posted March 11 On 3/6/2024 at 6:47 AM, thornbill said: Has the additional vulnerability ever been disclosed? It hasn't and it won't. The mentioned "undisclosed vulnerability" was based on a hypothesis I had during the investigation of the incident, but it turned out that it didn't apply to the case and from a retrospective view, it's also been a bit too tricky as that someone could have found out without deep knowledge about the product. So after all, it was merely an idea of how the server could possibly be hacked and I hope you'll understand that we do not share ideas about hacking our software. Link to comment Share on other sites More sharing options...
Gilgamesh_48 943 Posted March 12 Share Posted March 12 1 hour ago, softworkz said: It hasn't and it won't. The mentioned "undisclosed vulnerability" was based on a hypothesis I had during the investigation of the incident, but it turned out that it didn't apply to the case and from a retrospective view, it's also been a bit too tricky as that someone could have found out without deep knowledge about the product. So after all, it was merely an idea of how the server could possibly be hacked and I hope you'll understand that we do not share ideas about hacking our software. I think the real problem was, and is, either magic, gremlins or magical gremlins. 1 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now