Hey,

I've just released qutebrowser v1.4.1 which fixes a CSRF vulnerability on the
qute://settings page.

The vulnerability allowed websites to change qutebrowser settings, potentially
leading to arbitrary code execution via settings such as `editor.command`.

See the separate security announcement for details:
https://lists.schokokeks.org/pipermail/qutebrowser-announce/2018-July/000048.html

Other bugfixes in this release:

- Rare crash when an error occurs in downloads.
- Newlines are now stripped from the :version pastebin URL.
- There's a new `mkvenv-pypi-old` environment in `tox.ini` which installs an
  older Qt, which is needed on Ubuntu 16.04.
- Worked around a Qt issue which redirects to a `chrome-error://` page when
  trying to use U2F.
- The `link_pyqt.py` script now works correctly with PyQt 5.11.
- The Windows installer now uninstalls the old version before installing the
  new one, fixing issues with qutebrowser not starting after installing v1.4.0
  over v1.3.3.

Sorry for the trouble!

Florian

-- 
https://www.qutebrowser.org | m...@the-compiler.org (Mail/XMPP)
   GPG: 916E B0C8 FD55 A072 | https://the-compiler.org/pubkey.asc
         I love long mails! | https://email.is-not-s.ms/

Attachment: signature.asc
Description: PGP signature

Reply via email to