Content-Type validation bypass (née Responsible Disclosure)

Question

dappelt opened this issue 5 years ago · comments

I would like to report a security vulnerability. Can you please create a Draft Security Advisory?

eli · Answer 1 · Fri Nov 08 2019 03:33:32 GMT+0800 (China Standard Time)

Will do. Thanks!

eli · Answer 2 · Fri Nov 08 2019 03:36:20 GMT+0800 (China Standard Time)

Draft advisory created, and @dappelt invited to collaborate on it.

eli · Answer 3 · Sat Nov 09 2019 06:06:42 GMT+0800 (China Standard Time)

This advisory has been accepted.
Status: Working on a fix.

eli · Answer 4 · Tue Nov 12 2019 05:43:59 GMT+0800 (China Standard Time)

Status: release with fix planned for tomorrow.

eli · Answer 5 · Wed Nov 13 2019 04:52:15 GMT+0800 (China Standard Time)

v2.1.1 released with fixes.

eli · Answer 6 · Wed Nov 13 2019 04:54:43 GMT+0800 (China Standard Time)

Advisory published: GHSA-jg2r-qf99-4wvr
Please upgrade your installs!

eli · Answer 7 · Wed Nov 13 2019 04:57:34 GMT+0800 (China Standard Time)

Thanks to @dappelt for the report, and assistance with the fix review.

dappelt · Answer 8 · Wed Nov 13 2019 17:40:56 GMT+0800 (China Standard Time)

Thanks for dealing with the issue so quickly.