Over the past few weeks, I have been working with security researchers to find as many vulnerabilities as possible in the Rdiffweb application. With this new wave of patches, Rdiffweb is both more secure and robust against all kinds of attacks that we have been able to identify so far. For this reason, I have quickly prepared several patches to fix the vulnerabilities. At the same time, I am also working on other modifications to Rdiffweb to add two-factor authentication.
This latest release contains several security patches. It is recommended that you update your version of Rdiffweb as soon as possible.
Here the list of changes since version 2.4.2:
- Add Cache-Control and other security headers CVE-2022-3292
- Enforce password policy using password-score based on zxcvbn CVE-2022-3326
- Clean-up invalid path on error page
- Limit username field length CVE-2022-3290
- Limit user's email field length CVE-2022-3272
- Limit user's root directory field length CVE-2022-3295
- Limit SSH Key title field length CVE-2022-3298
- Generate a new session on login and 2FA #220 CVE-2022-3269
- Mitigate CSRF on user's settings #221 CVE-2022-3274
- Support MarkupSafe<3 for Debian bookworm
- Mitigate CSRF on user's notification settings #216 CVE-2022-3233
- Mitigate CSRF on repository settings #217 CVE-2022-3267
- Use 'Secure' Attribute with Sensitive Cookie in HTTPS Session on HTTP Error #218 CVE-2022-3174
- Mitigate CSRF on repository deletion and user deletion CVE-2022-3232 #214 #215
- Use X-Real-IP to identify client IP address to mitigate Brute-Force attack #213
- Mitigate CSRF in profile's SSH Keys CVE-2022-3221 #212