allura-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave Brondsema <d...@brondsema.net>
Subject security issue with easywidgets (Allura dependency)
Date Wed, 19 Sep 2012 15:21:54 GMT
I recommend all Allura deployments upgrade EasyWidgets to version
0.2dev-20120918 immediately.  If you cannot do that, apply this patch to your
current easywidgets version:
https://bitbucket.org/rick446/easywidgets/changeset/9b761c63620e5cbabc89e7ab34c599bd536f3c75
 That will close a vector of attack in which arbitrary filesystem paths can be
specified in the URL and exposed to the requester.  Example in the commit link
above.


-- 
Dave Brondsema : dave@brondsema.net
http://www.brondsema.net : personal
http://www.splike.com : programming
              <><

Mime
View raw message