Since version 61.0, there's a vulnerability which allows attaching content of arbitrary files and URLs to a generated PDF document, even if url_fetcher is configured to prevent access to files and URLs.
Patches
Fixed by 734ee8e that’s included in 61.2
Workarounds
Check that no PDF attachment is defined in source HTML.
Launch WeasyPrint in a sandbox that prevents access to the filesystem and the network.
Release Notes
Kozea/WeasyPrint (weasyprint)
### [`v61.2`](https://togithub.com/Kozea/WeasyPrint/releases/tag/v61.2)
[Compare Source](https://togithub.com/Kozea/WeasyPrint/compare/v61.1...v61.2)
**This is a security update.**
We strongly recommend to upgrade WeasyPrint to the latest version if you use WeasyPrint 61.0 or 61.1. Older versions are not impacted.
#### Security
- Always use URL fetcher for attachments
#### Contributors
- Guillaume Ayoub
- Ilia Novoselov
#### Backers and sponsors
- Spacinov
- Kobalt
- Grip Angebotssoftware
- Manuel Barkhau
- SimonSoft
- Menutech
- KontextWork
- René Fritz
- Simon Sapin
- Arcanite
- TrainingSparkle
- Healthchecks.io
- Hammerbacher
- Docraptor
- Yanal-Yvez Fargialla
- Morntag
- NBCO
Configuration
📅 Schedule: Branch creation - "" in timezone Europe/Amsterdam, Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
==61.1
->==61.2
GitHub Vulnerability Alerts
CVE-2024-28184
Impact
Since version 61.0, there's a vulnerability which allows attaching content of arbitrary files and URLs to a generated PDF document, even if
url_fetcher
is configured to prevent access to files and URLs.Patches
Fixed by 734ee8e that’s included in 61.2
Workarounds
Release Notes
Kozea/WeasyPrint (weasyprint)
### [`v61.2`](https://togithub.com/Kozea/WeasyPrint/releases/tag/v61.2) [Compare Source](https://togithub.com/Kozea/WeasyPrint/compare/v61.1...v61.2) **This is a security update.** We strongly recommend to upgrade WeasyPrint to the latest version if you use WeasyPrint 61.0 or 61.1. Older versions are not impacted. #### Security - Always use URL fetcher for attachments #### Contributors - Guillaume Ayoub - Ilia Novoselov #### Backers and sponsors - Spacinov - Kobalt - Grip Angebotssoftware - Manuel Barkhau - SimonSoft - Menutech - KontextWork - René Fritz - Simon Sapin - Arcanite - TrainingSparkle - Healthchecks.io - Hammerbacher - Docraptor - Yanal-Yvez Fargialla - Morntag - NBCOConfiguration
📅 Schedule: Branch creation - "" in timezone Europe/Amsterdam, Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.