Release/4.1.2

[tillprochaska]

No description provided.

[riotbib]

Hi @tillprochaska, as I understand the discourse announcement, there is a serious security patch in 321ef6f.

I sunset my Aleph deployment a few weeks ago. I would have been quite disappointed to not hear about this security issue in advance.

IMHO best practice would be to announce the patch weeks in advance, so admins can be ready, when the patch released. Just dropping a patch like this, endangers the users, admins and data contained in an instance.

Would be happy to hear your thought about this. Thanks.

[zaniiezxx3]

Hi @riotbib. Thank you for your comment and we completely understand your concern.

We were notified of the issue just last week and moved quickly to release a patch for the Aleph community within 36 hours. Ideally, we would have provided advance notice to all administrators but in this case, acting swiftly was necessary. We absolutely agree that advance communication is best practice and we're committed to that whenever timelines allow.

For ongoing updates and community discussions, feel free to join us on our Discourse forum. We always welcome input and feedback there.

Thanks again for raising this.

[riotbib]

Hi @zaniiezxx3, thanks for your reply.

With all respect, I do not get the reasoning for this decision. Why was it necessary to expose the fix, allowing easy exploits for unpatched systems? The Discourse post has 17 views until today, 5 days after. I guess OCCRP and others patched their deployments, good for you. But what about the rest?

I did sign up for the Discourse forum, but my account was not enabled. Wanted to most my concerns there previously.