Hey, I've just released qutebrowser v1.4.1 which fixes a CSRF vulnerability on the qute://settings page.
The vulnerability allowed websites to change qutebrowser settings, potentially leading to arbitrary code execution via settings such as `editor.command`. See the separate security announcement for details: https://lists.schokokeks.org/pipermail/qutebrowser-announce/2018-July/000048.html Other bugfixes in this release: - Rare crash when an error occurs in downloads. - Newlines are now stripped from the :version pastebin URL. - There's a new `mkvenv-pypi-old` environment in `tox.ini` which installs an older Qt, which is needed on Ubuntu 16.04. - Worked around a Qt issue which redirects to a `chrome-error://` page when trying to use U2F. - The `link_pyqt.py` script now works correctly with PyQt 5.11. - The Windows installer now uninstalls the old version before installing the new one, fixing issues with qutebrowser not starting after installing v1.4.0 over v1.3.3. Sorry for the trouble! Florian -- https://www.qutebrowser.org | [email protected] (Mail/XMPP) GPG: 916E B0C8 FD55 A072 | https://the-compiler.org/pubkey.asc I love long mails! | https://email.is-not-s.ms/
signature.asc
Description: PGP signature
