Aug 092022

✋ Heads-ups

The heads-ups from 1.8.0 still apply, please read this release’s release notes as well for a full picture of what you should be aware of and what changed!

⛈ Issues while updating?

On every new OctoPrint release we see some people run into the same issues with outdated or broken environments all over again. If you encounter a problem during update, please check this collection of the most common issues encountered over the past couple of release cycles first, and test if the included fixes solve your problem.

♻ Changes

🔒 Security fixes

  • Fixed an open redirect vulnerability in the login dialog. An attacker could send a login URL with a specially crafted redirect parameter pointing to an external page under their control to an instance admin that if used to login would redirect this URL, allowing the attacker to start a phishing attack. This is not directly exploitable by the attacker, but after a successful phishing attack and thus obtained credentials could be used to gain access to the OctoPrint instance if somehow reachable by the attacker (e.g. if you have exposed your OctoPrint instance on the public internet or another hostile network contrary to the project’s recommendations). Thanks to „Mizu“ for reporting and disclosing this responsibly.

🐛 Bug fixes

  • Pinned the Flask dependency to 2.1. The latest release requires a version of werkzeug that we currently cannot upgrade to due to yet another dependency, and there seem to have been cases in the field where users managed to update Flask regardless of the werkzeug version pin in OctoPrint, which caused runtime errors. This has not been successfully reproduced in the development environment, but a version pin here is a sensible precaution.

🎉 Special thanks to all the contributors!

Special thanks to everyone who contributed to this bugfix release!

Also a big thank you to Mizu for responsibly disclosing the security vulnerability that was fixed in this release.

Kommentar verfassen