From eb2303f08c23c22ded6b1290abd86b0e4f4d8235 Mon Sep 17 00:00:00 2001
From: zooko <>
Date: Fri, 24 Aug 2007 16:42:34 +0000
Subject: [PATCH] [Imported from Trac: page OldNews, version 7]
---
OldNews.md | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/OldNews.md b/OldNews.md
index 2f5cef7..462e389 100644
--- a/OldNews.md
+++ b/OldNews.md
@@ -4,6 +4,26 @@ See also [new News](News).
## Archived News Items
+### 2007-08-21 -- security flaw
+
+Nathan Wilcox has discovered that the new web API in allmydata-tahoe
+version 0.5 is vulnerable to XSRF attack. An XSRF -- or "Cross-Site
+Reference Forgery" attack -- is one in which an attacker creates an
+innocuous-looking hyperlink, and if a user clicks on that hyperlink
+then it causes deletion or theft of the user's data. We are working
+on a fix for this problem, and in the meantime if you have stored any
+private or precious data on a tahoe grid, then you can make sure that
+you are not exposed to this threat by shutting down your tahoe node
+before browsing the web.
+
+You can read more about the attack and our fix in the mailing list archves:
+
+
+
+and in this bug tracker ticket:
+
+
+
### 2007-08-17 -- Allmydata Tahoe v0.5 is released.
[release announcement and discussion](http://lists.zooko.com/pipermail/p2p-hackers/2007-August/001209.html)