» Agavi 1.0.0 Beta 8 Includes a Critical Security Fix

Agavi 1.0.0 Beta 8 Includes a Critical Security Fix

A new Agavi 1.0.0 Beta 8 was released late yesterday (European time). As usual, the new version contains several improvements and bug fixes but also a fix to a critical cross-site scripting vulnerability described in http://trac.agavi.org/ticket/1019. The vulnerability actually affects, as far as we know, only Internet Explorer 6 and 7 which fail to encode URL according to standards.

Affected versions:

• Agavi 0.11 up to and including 0.11.6-RC2
• Agavi 1.0 up to and including 1.0.0-beta7

Solutions

• Upgrade to 0.11.6 or 1.0.0 Beta 8
• Patch your Agavi with a hot fix attached to the ticket
• Use one of the workarounds described in the ticket.