We just released a change (patches are attached to this email) for security vulnerabilities. See the attachments for a patch for the current release and for open-release/juniper.master.
@Ali_Akbar,
Thanks for this announcement. The patch has not been merged to open-release/juniper.master. Can you please give us a git commit sha1 that we can use to patch our platforms?
EDIT: AFAIU this patch has not been merged to the master branch, either. In the future, I think it’s important to modify the security patch process to make sure that both the current release branch and the master branch include the security patch BEFORE the vulnerability is disclosed.
I assume this is the pull request that includes the security fixes? https://github.com/edx/edx-platform/pull/24246
This PR includes 17 commits, which makes it quite difficult to cherry-pick on an existing platform that would be based on open-release/juniper.1 (the latest stable release tag). When this gets merged in open-release/juniper.master (hopefully very soon) we are going to need an open-release/juniper.2 tag.
cc @nedbat
I’m sorry to complicate the matters here. A new step has been added to the security fix procedure now and I’ve made a PR towards juniper.master containing the changes for the fixes here