[qutebrowser] qutebrowser v1.4.1 released (security update, CVE-2018-10895)
Florian Bruhin
me at the-compiler.org
Wed Jul 11 17:35:58 CEST 2018
Hey,
I've just released qutebrowser v1.4.1 which fixes a CSRF vulnerability on the
qute://settings page.
The vulnerability allowed websites to change qutebrowser settings, potentially
leading to arbitrary code execution via settings such as `editor.command`.
See the separate security announcement for details:
https://lists.schokokeks.org/pipermail/qutebrowser-announce/2018-July/000048.html
Other bugfixes in this release:
- Rare crash when an error occurs in downloads.
- Newlines are now stripped from the :version pastebin URL.
- There's a new `mkvenv-pypi-old` environment in `tox.ini` which installs an
older Qt, which is needed on Ubuntu 16.04.
- Worked around a Qt issue which redirects to a `chrome-error://` page when
trying to use U2F.
- The `link_pyqt.py` script now works correctly with PyQt 5.11.
- The Windows installer now uninstalls the old version before installing the
new one, fixing issues with qutebrowser not starting after installing v1.4.0
over v1.3.3.
Sorry for the trouble!
Florian
--
https://www.qutebrowser.org | me at the-compiler.org (Mail/XMPP)
GPG: 916E B0C8 FD55 A072 | https://the-compiler.org/pubkey.asc
I love long mails! | https://email.is-not-s.ms/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://listi.jpberlin.de/pipermail/qutebrowser/attachments/20180711/6e963aa8/attachment.asc>
More information about the qutebrowser
mailing list