Skip to content

v0.21.29
Compare
Choose a tag to compare
@rossabaker rossabaker released this 30 Sep 20:25
· 8462 commits to main since this release
v0.21.29
This tag was signed with the committer’s verified signature.
rossabaker Ross A. Baker
GPG key ID: 975BE5BC29D92CA5
Learn about vigilant mode.
214e217

This release includes security patches for blaze-client, blaze-server, ember-client, ember-server, and jetty-client. It is binary compatible with the 0.21.x series.

Various modules

  • GHSA-5vcm-3xc3-w7x3: Patches a vulnerability when unencoded user inputs are rendered in the model. Malicious characters in these inputs can be used in splitting attacks.
    • Header values. \r, \n, and \u0000 values are now replaced with spaces.
    • Header names. Headers with invalid names are now dropped.
    • Status reason phrases. Invalid phrases are now omitted.
    • URI authority registered names. Requests with invalid reg-names now raise an exception.
    • URI paths. Requests with invalid URI paths now raise an exception.
Assets 2