Summary: | DDNS password sent in cleartext for noip.com | ||
---|---|---|---|
Product: | DDNS Updater | Reporter: | Dean Taylor <DLTaylor02> |
Component: | Core | Assignee: | Stefan Schantl <stefan.schantl> |
Status: | CLOSED FIXED | QA Contact: | Michael Tremer <michael.tremer> |
Severity: | Security | ||
Priority: | - Unknown - | CC: | adolf.belka, DLTaylor02 |
Version: | unspecified | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Attachments: | A screenshot of the IPS preventing the password to be sent, because it is in cleartext. |
Description
Dean Taylor
2021-07-08 14:46:28 UTC
Hello Dean, thanks for pointing this out. I've changed the request URL for noip to use the encrypted HTTPS way. https://git.ipfire.org/?p=ddns.git;a=commit;h=e00128d37b22d4eae3823ca21bdbcbb8485fdac2 Best regards, -Stefan (In reply to Stefan Schantl from comment #1) > Hello Dean, > > thanks for pointing this out. > > I've changed the request URL for noip to use the encrypted HTTPS way. > > https://git.ipfire.org/?p=ddns.git;a=commit; > h=e00128d37b22d4eae3823ca21bdbcbb8485fdac2 > > Best regards, > > -Stefan Thank you Stefan, Excuse my ignorance to how bug fixes are released in IPFire, but I would like to know how to receive this fix? Will it be included in the next core update or is there a patch users have to manually download and install? Hello Dean, all fixes usually will be shipped by one of the next one or two core updates. Currently core update 158 is in testing and the merge window for core 159 is closed, so I think this fix may will be part of core 160. Best regards, -Stefan The current version of providers.py has the https url version of njo-ip. The fix for this has been implemented in Core Update 160 with the implementation of ddns-014 Therefore this bug is being closed as fixed. |