💾 Archived View for gemi.dev › gemini-mailing-list › 000147.gmi captured on 2023-11-04 at 12:28:43. Gemini links have been rewritten to link to archived content

View Raw

More Information

➡️ Next capture (2023-12-28)

-=-=-=-=-=-=-

jetforce security vulnerability, affecting versions < 0.2.3

Michael Lazar <lazar.michael22 (a) gmail.com>

Greetings,

A vulnerability was recently discovered regarding the jetforce server. There
was a bug in the code that allowed maliciously crafted URLs to break out of
the
root directory and serve files from elsewhere on the filesystem [1].

I have fixed the issue and have uploaded a new release v0.2.3 to PyPI and
Github [2][3]. This is a bugfix-only release and does not contain any other
breaking changes. I now consider all versions < v0.2.3 to be insecure. If
you
are running jetforce, I strongly urge you to upgrade to the latest version
as
soon as possible.

Best,
Michael

[1] https://github.com/michael-lazar/jetforce/issues/24
[2] https://github.com/michael-lazar/jetforce/releases/tag/v0.2.3
[3] https://pypi.org/project/Jetforce/0.2.3/

Link to individual message.

---

Previous Thread: humble suggestions to specs documentation

Next Thread: Gateway Interfaces for Gemini