plugins: os-mail-backup not available due to unaddressed security concerns

[marcelmah]

Hi,

Just read this in the 20.7.6 release notes:
plugins: os-mail-backup not available due to unaddressed security concerns

I'm using this plugin, where can I get more info about these security concerns?
I can't seem to find any open issues on GitHub mentioning mail-backup plugin.

[chemlud]

The mail backup plugin is currently not available pending a response from the maintainer. Users are advised to avoid using it for the moment. 

https://forum.opnsense.org/index.php?topic=20389.msg70368

From your perspective, would it make sense to discussion unresolved security issues in public?

[marcelmah]

The mail backup plugin is currently not available pending a response from the maintainer. Users are advised to avoid using it for the moment. 

https://forum.opnsense.org/index.php?topic=20389.msg70368

From your perspective, would it make sense to discussion unresolved security issues in public?

That depends on the security issue. You can tell a bit more about the issue without telling the details I would guess.

Now I don't know if I have to actively remove the plugin from all devices or maybe it's a risk I'm willing to take...

[chemlud]

Users are advised to avoid using it for the moment. 

How is ambiguous?

[franco]

First time we had to deal with such an issue. It's an data leak as far as I know and that's all I can share at this point.

We did our duty to not publish the plugin and inform users.

There are two scenarios worth publishing the details: the maintainer fixes the plugin and we continue publishing it or the plugin is deleted with the details of the issue attached.


Cheers,
Franco

[marcelmah]

Hi,

Any news ons this?