Page MenuHomePhabricator

Etherpad 1.6.3 security release
Closed, ResolvedPublic

Description

https://github.com/ether/etherpad-lite/releases/tag/1.6.3 mentions three security issues:

"SECURITY: Update ejs"
"SECURITY: xss vulnerability when reading window.location.href" is https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6834
"SECURITY: sanitize jsonp" is https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6835

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 9 2018, 9:26 AM

Mentioned in SAL (#wikimedia-operations) [2018-02-09T15:47:28Z] <akosiaris> upload etherpad-lite 1.6.3-1 to apt.wikimedia.org/jessie-wikimedia/main T186866

Mentioned in SAL (#wikimedia-operations) [2018-02-09T15:49:14Z] <akosiaris> upgrade etherpad.wikimedia.org to 1.6.3-1 T186866

akosiaris closed this task as Resolved.Feb 9 2018, 3:58 PM
akosiaris claimed this task.

etherpad.wikimedia.org has been updated. We should now be safe from these vulns, resolving.