pglombardo/PasswordPusher v2.4.2 on GitHub

📝 What’s Changed

A way to bypass authentication to create pushes with file attachments was discovered & reported by @pyuysig. This has been fixed in this release. We will be publishing the related Github Security Advisory soon.

Thanks to @pyuysig for the great report!

Note: LTS release v1.69.4 has also been released also for those who haven't upgraded to v2 pwpush yet.

Security: Fix file upload authentication enforcement (#4381) @pglombardo
Update Settings to ignore environment variables for tests (#4380) @ozovalihasan

👥 List of contributors

@ozovalihasan and @pglombardo

🛥️ Docker Images

Available on Docker Hub:
https://hub.docker.com/r/pglombardo/pwpush

🏃‍♂️ Run This Version

Point DNS to your server (e.g. pwpush.example.com).
Download docker-compose.yml or clone the repo.
In docker-compose.yml, uncomment and set:
- TLS_DOMAIN: 'pwpush.example.com' for automatic Let’s Encrypt TLS.
Run:

docker compose up -d

Open https://pwpush.example.com or alternatively http://your-ip:5100.

pglombardo/PasswordPusher v2.4.2
v2.4.2: [Security] Fix method to bypass auth for anonymous file uploads

on GitHub

📝 What’s Changed

👥 List of contributors

🛥️ Docker Images

🏃‍♂️ Run This Version

🔗 Useful Links

pglombardo/PasswordPusher v2.4.2 v2.4.2: [Security] Fix method to bypass auth for anonymous file uploads on GitHub

📝 What’s Changed

👥 List of contributors

🛥️ Docker Images

🏃‍♂️ Run This Version

🔗 Useful Links

pglombardo/PasswordPusher v2.4.2
v2.4.2: [Security] Fix method to bypass auth for anonymous file uploads

on GitHub