Publify 8.3.3 – Security Fixes

Alvaro Folgado identified several security issues in Publify that are fixed in this release:

  • Rails’ protection from CSRF was not active for all actions. This was fixed.
  • Devise’ password recovery feature was configured to behave differently for existing and non-existing email addresses. This has been changed to use Devise’ ‘paranoid’ mode.
  • Publify was vulnerable to CVE-2016–3714, a vulnerability in ImageMagick, on servers that have affected versions of ImageMagick installed. It now checks the mime type of uploaded files based on their content before processing with ImageMagick.
  • Publify used Rails’ cookie session store, making it possible to effectively log back in by using an older value of the session cookie. Publify now stores the session data in the database.
  • The blog name was not properly escaped in the views used for Devise.

Additionally, the following small bugs were fixed:

  • There was an error on the sign-in due to the use of a deprecated method in Devise.
  • Failed resource uploads were reported as succesful.

It is recommended you update to this release as soon as possible.

Published on 03/11/2016 at 20h30 by Matijs van Zuijlen, tags

comment Publify 8.3.3 – Security Fixes

Trackbacks are disabled

Powered by Publify | Photo Startup stock photos