Skip to content

v2.14.2

Latest
Latest

Choose a tag to compare

View all tags
@hramezani hramezani released this 19 Jun 14:17
· 16 commits to main since this release
v2.14.2
d703bd7
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

What's Changed

This is a security patch release.

  • Prevent NestedSecretsSettingsSource from following symlinks outside secrets_dir by @hramezani in #889
  • Prepare release 2.14.2 by @hramezani in #890

Security

Fixes GHSA-4xgf-cpjx-pc3j: NestedSecretsSettingsSource with secrets_nested_subdir=True could follow a symbolic link inside secrets_dir pointing outside it, reading out-of-tree files into settings values and bypassing the secrets_dir_max_size cap. Affected versions: >= 2.12.0, < 2.14.2.

Full Changelog: v2.14.1...v2.14.2

Contributors

hramezani
Assets 2
Loading