This does affect OpenBao as well. We do have a process in place for responsible disclosure but unfortunately we were not informed about those issues before they were published.
Thank you for being communicative about this and for the great work you're doing on OpenBao
I'm very disappointed to hear that the researchers didn't do their due diligence and informed the OpenBao project about this issue before publishing
I imagine this is a stressful situation for everyone involved in the project, so I hope the researchers will do some reflections on how they can avoid this situation happening in the future
Also discussed in https://news.ycombinator.com/item?id=44821434
Does this affect OpenBao as well?
Yes this does affect OpenBao as well. We're actively working on getting a fix out as soon as possible
Even more importantly; were these vulnerabilities responsibly disclosed to the OpenBao project before they were published?*
*Assuming OpenBao has a process in place for this
This does affect OpenBao as well. We do have a process in place for responsible disclosure but unfortunately we were not informed about those issues before they were published.
Thank you for being communicative about this and for the great work you're doing on OpenBao
I'm very disappointed to hear that the researchers didn't do their due diligence and informed the OpenBao project about this issue before publishing
I imagine this is a stressful situation for everyone involved in the project, so I hope the researchers will do some reflections on how they can avoid this situation happening in the future
Almost all of these except the enterprise MFA control group stuff will be in OpenBao yeah