π Whatβs Changed
This release fixes GHSA-76c2-66pg-fj2f where previously a malicious user could provide a specific payload to a URL push that can trigger an XSS vulnerability for recipients.
Thanks to @de3erve-hunter for reporting! A CVE has been requested. GHSA-76c2-66pg-fj2f will be updated once the CVE is available.
- Restrict URL push payloads to http and https schemes to fix GHSA-76c2-66pg-fj2f (#4595) @pglombardo
β¬οΈ Dependencies updates
- β¬οΈ Bump google-apis-core from 1.2.3 to 1.2.4 (#4593) @dependabot[bot]
- β¬οΈ Bump thruster from 0.1.21 to 0.1.22 (#4594) @dependabot[bot]
π₯ List of contributors
@dependabot[bot], @pglombardo and dependabot[bot]
π₯οΈ Docker Images
Available on Docker Hub:
https://hub.docker.com/r/pglombardo/pwpush
πββοΈ Run This Version
- Point DNS to your server (e.g.
pwpush.example.com). - Download docker-compose.yml or clone the repo.
- In
docker-compose.yml, uncomment and set:TLS_DOMAIN: 'pwpush.example.com'for automatic Letβs Encrypt TLS.
- Run:
docker compose up -dOpen https://pwpush.example.com or alternatively http://your-ip:5100.