release: v1.1.1

inveniosoftware · Jul 15, 2019 · 53d5101 · 53d5101
1 parent 0feb40a
commit 53d5101
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 2 deletions.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -7,7 +7,21 @@
 
 Changes
 =======
-Version 1.1.0 (released 2019-12-14)
+Version 1.1.1 (released 2019-07-15)
+
+- Fixes a security issue where APP_ALLOWED_HOSTS was not always being checked,
+  and thus could allow host header injection attacks.
+
+  NOTE: you should never route requests to your application with a wrong host
+  header. The APP_ALLOWED_HOSTS exists as an extra protective measure, because
+  it is easy to misconfigure your web server.
+
+  The root cause was that Werkzeug's trusted host feature only works when
+  request.host is being evaluated. This means that for instance when only
+  url_for (part of the routing system) is used, then the host header check is
+  not performed.
+
+Version 1.1.0 (released 2018-12-14)
 
 - The Flask-DebugToolbar extension is now automatically registered if
   installed.

diff --git a/invenio_app/version.py b/invenio_app/version.py
@@ -14,4 +14,4 @@
 
 from __future__ import absolute_import, print_function
 
-__version__ = '1.1.0'
+__version__ = '1.1.1'