Version 0.5.6, Changelog
This commit is contained in:
parent
a89f66e8b5
commit
db8c85d249
2 changed files with 46 additions and 1 deletions
45
CHANGELOG.md
45
CHANGELOG.md
|
@ -1,3 +1,48 @@
|
|||
## ZeroNet 0.5.6 (2017-06-15)
|
||||
### Added
|
||||
- Callback for certSelect API command
|
||||
- More compact list formatting in json
|
||||
|
||||
### Changed
|
||||
- Remove obsolete auth_key_sha512 and signature format
|
||||
- Improved Spanish translation (Thanks to Pupiloho)
|
||||
|
||||
### Fixed
|
||||
- Opened port checking (Thanks l5h5t7 & saber28 for reporting)
|
||||
- Standalone update.py argument parsing (Thanks Zalex for reporting)
|
||||
- uPnP crash on startup (Thanks Vertux for reporting)
|
||||
- CoffeeScript 1.12.6 compatibility (Thanks kavamaken & imachug)
|
||||
- Multi value argument parsing
|
||||
- Database error when running from directory that contains special characters (Thanks Pupiloho for reporting)
|
||||
- Site lock violation logging
|
||||
|
||||
|
||||
#### Proxy bypass during source upgrade [Reported by ZeroMux]
|
||||
|
||||
In ZeroNet before 0.5.6 during the client's built-in source code upgrade mechanism,
|
||||
ZeroNet did not respect Tor and/or proxy settings.
|
||||
|
||||
Result: ZeroNet downloaded the update without using the Tor network and potentially leaked the connections.
|
||||
|
||||
Fix: Removed the problematic code line from the updater that removed the proxy settings from the socket library.
|
||||
|
||||
Affected versions: ZeroNet 0.5.5 and earlier, Fixed in: ZeroNet 0.5.6
|
||||
|
||||
|
||||
#### XSS vulnerability using DNS rebinding. [Reported by Beardog108]
|
||||
|
||||
In ZeroNet before 0.5.6 the web interface did not validate the request's Host parameter.
|
||||
|
||||
Result: An attacker using a specially crafted DNS entry could have bypassed the browser's cross-site-scripting protection
|
||||
and potentially gained access to user's private data stored on site.
|
||||
|
||||
Fix: By default ZeroNet only accept connections from 127.0.0.1 and localhost hosts.
|
||||
If you bind the ui server to an external interface, then it also adds the first http request's host to the allowed host list
|
||||
or you can define it manually using --ui_host.
|
||||
|
||||
Affected versions: ZeroNet 0.5.5 and earlier, Fixed in: ZeroNet 0.5.6
|
||||
|
||||
|
||||
## ZeroNet 0.5.5 (2017-05-18)
|
||||
### Added
|
||||
- Outgoing socket binding by --bind parameter
|
||||
|
|
|
@ -9,7 +9,7 @@ import ConfigParser
|
|||
class Config(object):
|
||||
|
||||
def __init__(self, argv):
|
||||
self.version = "0.5.5"
|
||||
self.version = "0.5.6"
|
||||
self.rev = 2109
|
||||
self.argv = argv
|
||||
self.action = None
|
||||
|
|
Loading…
Reference in a new issue