jetforce security vulnerability, affecting versions < 0.2.3

Michael Lazar lazar.michael22 at gmail.com
Mon May 25 17:44:45 BST 2020

Previous message (by thread): humble suggestions to specs documentation
Next message (by thread): Gateway Interfaces for Gemini
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Greetings,

A vulnerability was recently discovered regarding the jetforce server. There
was a bug in the code that allowed maliciously crafted URLs to break out of
the
root directory and serve files from elsewhere on the filesystem [1].

I have fixed the issue and have uploaded a new release v0.2.3 to PyPI and
Github [2][3]. This is a bugfix-only release and does not contain any other
breaking changes. I now consider all versions < v0.2.3 to be insecure. If
you
are running jetforce, I strongly urge you to upgrade to the latest version
as
soon as possible.

Best,
Michael

[1] https://github.com/michael-lazar/jetforce/issues/24
[2] https://github.com/michael-lazar/jetforce/releases/tag/v0.2.3
[3] https://pypi.org/project/Jetforce/0.2.3/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.orbitalfox.eu/archives/gemini/attachments/20200525/6ce17ffc/attachment.htm>

Previous message (by thread): humble suggestions to specs documentation
Next message (by thread): Gateway Interfaces for Gemini
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Gemini mailing list