Skip to content

1.0.7.1

Compare
Choose a tag to compare
@NicolasDorier NicolasDorier released this 30 Mar 15:16
· 2509 commits to master since this release
3461dd6

This is a security release that patches one critical and several low-impact vulnerabilities that affected BTCPay Server versions 1.0.7.0 and older.

The critical vulnerability (CVE-2021-29251) impacts users who:

  • Use Docker Deployment, have a configured email server and enabled registration for users in Server Settings > Policies

We strongly recommend affected users to update their instances to mitigate the risk. We will release a full public disclosure of vulnerabilities with the next major version of the BTCPay Server.

We want to thank @teslamotors for filing a responsible disclosure, helping us with remediation, and handling the situation professionally.
We also want to thank Qaiser Abbas, an independent web-security researcher, for an additional responsible vulnerability disclosure that was handled in this release.

Thank you for keeping our users safe.

Improvements:

Bug fixes:

  • Ensure submitting empty currency does not break update PoS page (#2376) @bolatovumar
  • Fix point of sale item newline break (#2366) @Kukks
  • Validate filename in file upload endpoints @NicolasDorier
  • Turn off autocomplete for BIP39 Seed or HD private key inputs @nosovk
  • Fix payment request template body/page height and footer style @patrick