Hi,
Just read this in the 20.7.6 release notes:
plugins: os-mail-backup not available due to unaddressed security concerns
I'm using this plugin, where can I get more info about these security concerns?
I can't seem to find any open issues on GitHub mentioning mail-backup plugin.
QuoteThe mail backup plugin is currently not available pending a response from the maintainer. Users are advised to avoid using it for the moment.
https://forum.opnsense.org/index.php?topic=20389.msg70368
From your perspective, would it make sense to discussion unresolved security issues in public?
Quote from: chemlud on December 10, 2020, 07:37:01 PM
QuoteThe mail backup plugin is currently not available pending a response from the maintainer. Users are advised to avoid using it for the moment.
https://forum.opnsense.org/index.php?topic=20389.msg70368
From your perspective, would it make sense to discussion unresolved security issues in public?
That depends on the security issue. You can tell a bit more about the issue without telling the details I would guess.
Now I don't know if I have to actively remove the plugin from all devices or maybe it's a risk I'm willing to take...
QuoteUsers are advised to avoid using it for the moment.
How is ambiguous?
First time we had to deal with such an issue. It's an data leak as far as I know and that's all I can share at this point.
We did our duty to not publish the plugin and inform users.
There are two scenarios worth publishing the details: the maintainer fixes the plugin and we continue publishing it or the plugin is deleted with the details of the issue attached.
Cheers,
Franco
Hi,
Any news ons this?