PrivateBin v1.2.2 Release Notes

Release Date: 2020-01-11 // over 2 years ago
  • This release fixes a persistent XSS vulnerability in filenames of attached files in PrivateBin.

    🚀 On 25th of December 2019, an issue was discovered and fixed, which allowed the user provided attachment file name to inject HTML under certain conditions, leading to a persistent Cross-site scripting (XSS) vulnerability. This release includes an improved solution, which addresses the issue on a broader scope, avoiding this to reoccur in other areas of the code in the future.

    ⚡️ Further details on this is an issue and its implications can be found in our report on the vulnerability. It also describes methods to check if your browser is currently affected by the issue. If it is, please consider updating your browser.

    🚀 Benefits of switching to the new release

    ⬆️ We recommend to upgrade 1.3, 1.3.1, 1.2 and 1.2.1 instances to address this issue, even if the instance doesn't have fileuploads enabled and uses the recommended CSP header to mitigate XSS attacks.

    🚀 Due to the seriousness of the issue, we do offer a backport of the fix for the 1.2.1 version of PrivateBin, that also includes updated JavaScript libraries. You may choose to use that version over 1.3.2, if you do need to support legacy browsers with incomplete or missing Webcrypto API, like IE, non-Chromium based Edge or some ESR releases.

    ⚡️ Update procedure

    🚀 As usual, you can download the archive for a manual upgrade and can find more details in the installation instructions.

    🐳 We also offer a Docker container that includes the recommended secure setup with the non-essential files and data outside of the web servers document root.

    🔄 Changes since version 1.2.1

    • ⬆️ CHANGED: Upgrading libraries to: bootstrap 3.4.1, DOMpurify 2.0.7, jQuery 3.4.1, kjua 0.6.0, Showdown 1.9.1 & SJCL 1.0.8
    • 🛠 FIXED: HTML injection via unescaped attachment filename (#554)

    🚀 More details about the plans for future releases and on how you can help the project achieve them, can be found in the PrivateBin version 1.3.2 & 1.2.2 release announcements.