[jifty-devel] SECURITY UPDATE: Jifty 0.60706

Jesse Vincent jesse at bestpractical.com
Fri Jul 7 00:36:25 EDT 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Heads up! We ran into a potentially exploitable hole in Jifty's  
static server
(when paired with the standalone webserver) this afternoon.  You really
should update your Jifty applications to this latest release as soon  
as possible.

I'm terribly sorry for any trouble this might have caused you.

Best,

Jesse


   * SECURITY UPDATE: Previous versions of Jifty did not
   protect users against a class of remote data access vulnerability.  
If an
   attacker knew the structure of your local filesystem and you were  
using
   the "standalone" webserver in production, the attacker could gain  
read
   only access to local files.

   We found this vulnerability on 6 July 2006 during an internal  
Security
   scan. We've added new tests to ensure that these and other similar
   vulnerabilities don't recur.

   We recommend that ALL users of Jifty UPGRADE to 0.60706 IMMEDIATELY.



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)

iD8DBQFEreTLEi9d9xCOQEYRAoQqAJ4+AB+ZoresWWaLT19B5bYGQ+W1dQCeL58w
44lyxeB7xuy0q2IaWe5FXp8=
=kB/b
-----END PGP SIGNATURE-----


More information about the jifty-devel mailing list