This is an important security fix for 1.14. Please upgrade!
CVE-2023-1350 Remote code execution on feed enrichment
If you have enabled "Extract full content from HTML5 and Google AMP" for one or
more of your feed subscriptions it is possible for a an attacker to inject a script command
that would run any command on your system.
Upgrading to 1.14.1 solves this security problem.
If you cannot upgrade disable "Extract full content from HTML5 and Google AMP" for all
of you feeds. This can be done in the feed properties dialog,
If you have many feeds you might want to do this automatically:
- Close Liferea
- Open
~/.config/liferea/feedlist.opml
in an editor - Replace all occurences of
html5Extract="true"
with an empty string
Changes
* Fixes CVE-2023-1350: RCE vulnerability on feed enrichment
(patch by Alexander Erwin Ittner)
* Fixes #1200: Crash on double free
(mozbugbox)
* Improve #1192 be reordering widget creation order
(Lars Windolf)