github fccview/jotty 1.15.2
SECURITY UPDATE 1.15.2
on GitHub

latest releases: 1.16.1, 1.16.0
5 days ago



Join our communities

Changelog

security update

This is a fairly urgent security update after the issue #307 was raised.
This security incident affects all logged in pages and public checklists/notes pages.

There is data exposure that needed to be sanitised and removed and this is entirely my mess up, in the refactor from rwMarkable to Jotty I have removed a layout file that was sanitising public routes and the routes were using the same layout file as the private ones. I kept building since then with the assumption everything was sanitised but alas it was not.

I have patched every single one of the leaks on public routes, however for logged in users (only your own users) there's still some data on the frontend I'd like to clean up. This is not critical as it's only available to you, within your safe logged in session, but for good measures I'll also fix that with the next release. I would rather go live asap with the more critical fixes if that makes sense.

I highly suggest you pull the latest version AS SOON AS POSSIBLE and update your api keys to be absolutely safe. Sorry about this. I hate it happened but THANKFULLY this was raised and I patched it as fast as humanly possible.

your data is safe if:

  • You host Jotty internally and is not exposed to the wider public
  • You only use private notes and only share them internally
  • You only have trusted users you share Jotty with

you really should update your admin api keys if:

  • You have public notes/checklists in a public Jotty instance
  • You have untrusted users you share Jotty with

I'll always be transparent with things and will not hide stuff like this from you all, at the end of the day this is an open source project and the approach should always include transparency and full disclosure.

This however means that the cat is out of the bag with this release, so PLEASE update your instances.

p.s. this was done as quick as possible to protect data, it fundamentally changes the way user data is loaded across the whole application. Whilst nothing should break I did go live without doing any testing. I feel the urgency of the matter grants some potential minor feature being broken. Make sure to raise issues if you find any bugs around user behaviour and I'll make sure to work twice as much to fix them all ❤️

As always I will be in discord (and as of today reddit & telegram) to answer your urgent questions/feedbacks.

fccview

Check out latest releases or
releases around fccview/jotty 1.15.2

Don't miss a new jotty release

NewReleases is sending notifications on new releases.

Get notifications