GNU social XSS vulnerability, version bumped to v1.1.2
Mikael Nordfeldth <mmn@...
2014-10-25 13:19:07 GMT
Hi all, I'm the maintainer of GNU social. Feel free to download my
attached public OpenPGP key if you think it might be of use in the future.
I wish to announce that a GNU social XSS vulnerability was discovered in
the Bookmark plugin, which is enabled by default. I have not asked
whether I can name the person who found the issue, but will give proper
attribution if this person would like that.
Affects: GNU social master repository up until commit #048af5a.
Also affects: StatusNet, all versions (since Bookmark plugin).
Reason: There was no proper check on the input value of the Bookmark
URL, making it possible to enter a value such as
Severity: Reasonably, this would require a user to click the link rather
than have anything automatically execute. Should this be a bad
assumption from my side, please voice it on this list and to whomever
may need that info.
Fix: I patched this in commit 39b5e08 visible at
and can easily be applied by hand to StatusNet code.
The resulting source update bumped the version number to 1.1.2-alpha1,
since I figure that might get people to update quicker.
Standard update procedure applies, though no database changes have been
# Stop daemons if you're running them.