[Imported from Trac: page OldNews, version 7]
parent
445c84ed0b
commit
eb2303f08c
20
OldNews.md
20
OldNews.md
|
@ -4,6 +4,26 @@ See also [new News](News).
|
||||||
|
|
||||||
## Archived News Items
|
## Archived News Items
|
||||||
|
|
||||||
|
### 2007-08-21 -- security flaw
|
||||||
|
|
||||||
|
Nathan Wilcox has discovered that the new web API in allmydata-tahoe
|
||||||
|
version 0.5 is vulnerable to XSRF attack. An XSRF -- or "Cross-Site
|
||||||
|
Reference Forgery" attack -- is one in which an attacker creates an
|
||||||
|
innocuous-looking hyperlink, and if a user clicks on that hyperlink
|
||||||
|
then it causes deletion or theft of the user's data. We are working
|
||||||
|
on a fix for this problem, and in the meantime if you have stored any
|
||||||
|
private or precious data on a tahoe grid, then you can make sure that
|
||||||
|
you are not exposed to this threat by shutting down your tahoe node
|
||||||
|
before browsing the web.
|
||||||
|
|
||||||
|
You can read more about the attack and our fix in the mailing list archves:
|
||||||
|
|
||||||
|
<http://allmydata.org/pipermail/tahoe-dev/>
|
||||||
|
|
||||||
|
and in this bug tracker ticket:
|
||||||
|
|
||||||
|
<http://allmydata.org/trac/tahoe/ticket/98>
|
||||||
|
|
||||||
### 2007-08-17 -- Allmydata Tahoe v0.5 is released.
|
### 2007-08-17 -- Allmydata Tahoe v0.5 is released.
|
||||||
|
|
||||||
[release announcement and discussion](http://lists.zooko.com/pipermail/p2p-hackers/2007-August/001209.html)
|
[release announcement and discussion](http://lists.zooko.com/pipermail/p2p-hackers/2007-August/001209.html)
|
||||||
|
|
Loading…
Reference in a new issue