💾 Archived View for gemi.dev › gemini-mailing-list › 000147.gmi captured on 2023-12-28 at 15:41:57. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2023-11-04)

🚧 View Differences

-=-=-=-=-=-=-

jetforce security vulnerability, affecting versions < 0.2.3

1. Michael Lazar (lazar.michael22 (a) gmail.com)

Greetings,

A vulnerability was recently discovered regarding the jetforce server. There
was a bug in the code that allowed maliciously crafted URLs to break out of
the
root directory and serve files from elsewhere on the filesystem [1].

I have fixed the issue and have uploaded a new release v0.2.3 to PyPI and
Github [2][3]. This is a bugfix-only release and does not contain any other
breaking changes. I now consider all versions < v0.2.3 to be insecure. If
you
are running jetforce, I strongly urge you to upgrade to the latest version
as
soon as possible.

Best,
Michael

[1] https://github.com/michael-lazar/jetforce/issues/24
[2] https://github.com/michael-lazar/jetforce/releases/tag/v0.2.3
[3] https://pypi.org/project/Jetforce/0.2.3/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.orbitalfox.eu/archives/gemini/attachments/20200525/6ce1
7ffc/attachment.htm>

Link to individual message.

---

Previous Thread: humble suggestions to specs documentation

Next Thread: Gateway Interfaces for Gemini