Skip to content

v2.5.1

Latest
Latest
Compare
Choose a tag to compare
@sedan07 sedan07 released this 27 Aug 16:49
· 10 commits to 2.6 since this release
v2.5.1
This tag was signed with the committer’s verified signature.
sedan07 Seb Dangerfield
GPG key ID: F01847A1B5D1017E
Learn about vigilant mode.
d7ecabf
This commit was signed with the committer’s verified signature.
sedan07 Seb Dangerfield
GPG key ID: F01847A1B5D1017E
Learn about vigilant mode.

Fixed

  • [SECURITY VULNERABILITY] Configuration leak, user/admin users could leak the value of any config entry from .env file by using variable placeholders. Setting values are now sanitised (GHSA-88f9-7xxh-c688). Thanks to @thomas-chauchefoin-sonarsource
  • [SECURITY VULNERABILITY] New line injection during configuration editing possible by a user/admin. Setting values are now sanitised (GHSA-9jxw-cfrh-jxq6). Thanks to @thomas-chauchefoin-sonarsource
  • [SECURITY VULNERABILITY] Forced reinstall, user/admin users could trick Cachet to allow them to access the /setup endpoint and reinstall the whole instance. Fixed by preventing clearing the instance name. (GHSA-r67m-m8c7-jp83). Thanks to @thomas-chauchefoin-sonarsource
  • Resend edit subscription email to existing subscribers on request #52

Container Image:

sedan07/cachet:v2.5.1

Contributors

thomas-chauchefoin-sonarsource
Assets 2
Loading