[qutebrowser] qutebrowser v1.3.3 released (security update!)
me at the-compiler.org
Fri Jun 22 00:51:04 CEST 2018
I've just released qutebrowser v1.3.3, which fixes an XSS vulnerability
on the qute://history page (:history).
The vulnerability allowed websites to inject HTML into the page via a
crafted title tag. This could allow them to steal your browsing history.
If you're currently unable to upgrade, avoid using :history.
A CVE request for this issue is pending, I'll send out another mail once
there's a CVE ID assigned.
The issue was introduced in March 2017 and part of the v0.11.0 release:
The patch applies cleanly to v1.2.x and v1.1.x (but I do not plan to do
any updated releases of those):
It does *not* apply to v1.0.x and v0.11.x. If you need a backport,
please let me know, but especially on v0.11.x you'll probably have a lot
of other security issues due to an outdated QtWebKit anyways.
I plan to release v1.4.0 later this week (once PyQt 5.11 is out), but
since the bug was opened publicly, I decided to do an immediate bugfix
release. As a reminder, for security-relevant bugs, please contact me
directly at mail at qutebrowser.org.
Other bugfixes in this release:
- Crash in a workaround for a Qt 5.11 bug in rare circumstances.
- Workaround for a Qt bug which preserves searches between page loads.
- In v1.3.2 a dependency on the `PyQt5.QtQuickWidgets` module was accidentally
introduced. Since that module isn't packaged everywhere, it's been removed
Sorry for the trouble!
https://www.qutebrowser.org | me at the-compiler.org (Mail/XMPP)
GPG: 916E B0C8 FD55 A072 | https://the-compiler.org/pubkey.asc
I love long mails! | https://email.is-not-s.ms/
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: not available
More information about the qutebrowser