Note: This notice discusses patches that were released on February 17, 2017. If you have upgraded or installed since that date, you do not need to take any action.
Issue List
VWE-2017-3388 is a CAN-SPAM Non-compliance issue that affects wiki moderator notifications. It affects all prior versions of the VaultWiki 4.x series.VWE-2017-3396 is a Subscription Management Flaw that affects a user's ability to manage feed subscriptions via the user's list of wiki subscriptions. It affects VaultWiki 4.0.0 and higher.
VWE-2017-3407 is a Subscription Management Flaw that affects a user's ability to manage subscriptions for certain content, where an administrator has revoked their access to that content since they subscribed. It affects all versions of the VaultWiki 4.x series.
VWE-2017-3415 is a CAN-SPAM Non-compliance issue involving threads that have been moved into the wiki. Unsubscribe links issued within the past 30 days while the content was still a thread are non-functional after the content was moved, yet the user is still subscribed at the new location. Patched versions prevent newly moved threads from having their subscriptions also moved; users will need to re-subscribe. This issue affects VaultWiki 4.0.16.
VWE-2017-3428 is a Subscription Management Flaw that affects a user's ability to prevent their default subscription preference while posting new wiki comments. It affects all versions of the VaultWiki 4.x series.
VWE-2017-3436 is a CAN-SPAM Non-compliance issue involving failure to parse some otherwise valid unsubscribe links. It affects VaultWiki 4.0.16.
VWE-2017-3437 is a Denial-of-Service Amplification issue involving thumbnail requests. It affects all versions of the VaultWiki 4.x series, except Lite versions.
VWE-2017-3445 is a Denial of Service issue that can cause specified wiki pages to no longer have new edits successfully applied. It affects VaultWiki 4.0.0 and higher.
Patches
The following patches, released February 17, 2017, address the aforementioned issues:- 4.0.16 Patch Level 1
- 4.0.15 Patch Level 5
- 4.0.14 Patch Level 8
- 4.0.13 Patch Level 8
- 4.0.12 Patch Level 9
- 4.0.11 Patch Level 9
- 4.0.10 Patch Level 10
- 4.0.9 Patch Level 10
We strongly recommend that all users running VaultWiki 4.x in a production environment update to a patched release as soon as possible.
Policy Updates
Prior to this notice, it was customary for us to give each vulnerability a unique name, such as File Blueprint Vulnerability. However, as our database has grown, it has become difficult to continue selecting names with any sort of meaning. Additionally, whenever review of certain issues was necessary later, it was difficult to do based on the name alone. Thus, we have converted our vulnerability database to use IDs that are more meaningful to our internal tracking systems.While previously it was customary to issue a Patch Level release immediately -- within 1 to 2 days of a security issue being fixed internally -- in many cases, this has made it difficult for users to keep up with patches as they become available, has resulted in rapid growth of our database as older patches become superceded, and has caused many development hours to be lost to frequent patch issuance procedures. In December 2015, the License Agreement established that up to 30 days was permitted between an issue's discovery and a patch; thus, beginning with this most recent set of patches, we will beginning limiting patches to one (1) per calendar month, except as required to satisfy the 30-day rule or to mitigate an actively exploited issue.