[jifty-devel] SECURITY UPDATE: Jifty 0.60706
Jesse Vincent
jesse at bestpractical.com
Fri Jul 7 00:36:25 EDT 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Heads up! We ran into a potentially exploitable hole in Jifty's
static server
(when paired with the standalone webserver) this afternoon. You really
should update your Jifty applications to this latest release as soon
as possible.
I'm terribly sorry for any trouble this might have caused you.
Best,
Jesse
* SECURITY UPDATE: Previous versions of Jifty did not
protect users against a class of remote data access vulnerability.
If an
attacker knew the structure of your local filesystem and you were
using
the "standalone" webserver in production, the attacker could gain
read
only access to local files.
We found this vulnerability on 6 July 2006 during an internal
Security
scan. We've added new tests to ensure that these and other similar
vulnerabilities don't recur.
We recommend that ALL users of Jifty UPGRADE to 0.60706 IMMEDIATELY.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)
iD8DBQFEreTLEi9d9xCOQEYRAoQqAJ4+AB+ZoresWWaLT19B5bYGQ+W1dQCeL58w
44lyxeB7xuy0q2IaWe5FXp8=
=kB/b
-----END PGP SIGNATURE-----
More information about the jifty-devel
mailing list