14 DAY TRIAL // Jessica Tallon from the MediaGoblin project, open-source media server software designed for GNU/Linux operating systems, announced this past weekend the immediate availability of a patch for GNU MediaGoblin 0.8.
MediaGoblin 0.8.1 is the first point release in the MediaGoblin 0.8 series, dubbed "A Gallery of Fine Creatures," and fixes a single security issue discovered in the OAuth implementation, which apparently affected all previous versions of the GNU MediaGoblin software, starting with build 0.5.0.
The security flaw could have allowed an attacker to access a logged-in session on the user's GNU MediaGoblin account, but only if the user didn't log in via a secure HTTP connection, or accessed his/her account on a public computer. However, even so, all MediaGoblin users are urged to update their installations as soon as possible to version 0.8.1.
"We have had a security problem in our OAuth implementation reported to us privately and have taken steps to address it. The security problem affects all versions of GNU MediaGoblin since 0.5.0. I have created a patch for this and released a minor version 0.8.1. It’s strongly advised that everyone upgrade as soon as they can," said Jessica Tallon.
Here's how to protect your MediaGoblin account
To make sure that your MediaGoblin installation is safe and secure, you should first start to check their authorized clients. If you find a client that you don't know, please deauthorize it immediately. For that, you must log into your MediaGoblin server, access the drop-down arrow in the upper right corner, click the "Change account settings" button, and then press on the "Deauthorize applications" link.
It would appear that the security issue only affected those who clicked the verifier link generated by OAuth, which was not correctly validated. More details can be found in the official announcement, along with the link to the patch. You can also download GNU MediaGoblin 0.8.1 right now from our website if you want to update manually.