Hi everyone, there is a security vulnerability in all Agate versions prior to 3.1.0, which has been discovered by Matthew Ingwersen. It has been fixed in the new version which is available on crates.io, prebuilt binaries are also available: <https://qwertqwefsday.eu/agate/v3.1.0/> or <https://github.com/mbrubeck/agate/releases/tag/v3.1.0> Percent-encoded slashes were misunderstood, possibly allowing arbitrary files to be accessed. This can be an issue depending on with which permissions and/or user you are running the server. Therefore an update is highly recommended. Regards, -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Johann Galle 2021-06-08T09:20+02:00 -----BEGIN PGP SIGNATURE----- iQJMBAEBCAA2FiEEgUUY5bKEh6t2GZ3upO/MWmF0+w8FAmC/GW0YHGpvaGFubkBx d2VydHF3ZWZzZGF5LmV1AAoJEKTvzFphdPsPvrAQAL1fTRaLngA4/un96kxyca/b h1d78a5lFnhiqQlSyqg7al4qin/M/WG2AUdMFNH3YitZJy+IhZhPOyRbXplFo+dU Tf/lLkWMGSW2i+3kkbL3LqMGSzsW0CxVYKj3XmFHq0yqMenerDoK8IeL7t1CZQ0D wol0TIwsq1NA2jBIa6IRBCW9m4vn761bav/1WJnlNbz4ViI+vMTkaoU76XnVgtFW B0lvbyWG/z63U86e67g345pSrBNZzrGD5zeBfZ82eBt4A+RE+Zv5rZJgaV1E21xD hgdKwqFDHM+Sm6gZovH/3e6qjNkF4A14g+EI475NJyUm/0f04v6Pf+4Rea4irQZw lZIv6cneWIJRS8RuhbwhUrKW3eZ9no/9qtAqx2jZ2ZYlS9jWQCu3EY4YINxS6gX+ HXMQRgTlLTM5qzFwVF3vgJWbr5d0oAbWNmpfWTPEA7rngFt01H1rB+lKNUHWp/wv GTrjMlSYDaknjz8tFzIrbqyp7bfW6owtzdkHzS/4jCFu94ck7A/nWTXgpE/rcTsJ nqzj3V9r88RK4bPgsr7VSKcSAcxtUr087ZvXd28ySSK2HE5mJY1eLuI055aelVpJ vDUBVpMumXsrDC4qeZN9y53g5O2rJJ5Ts5EsM7BtxUtBVRl9AWEI7egXADMnMiv1 70yb31+SJm5mVZXzDpyq =4bXq -----END PGP SIGNATURE-----
On Tue Jun 8, 2021 at 8:19 AM BST, Johann Galle wrote: > Hi everyone, > > there is a security vulnerability in all Agate versions prior to 3.1.0, > which has been discovered by Matthew Ingwersen. Johann, thank you for letting us know promptly - this list is a good way to let us know - at least for me. i r uppdated ta. Cheers Neil
---