Conductance 0.4.1 security fix

June 30, 2014 by Tim Cuthbertson

We have discovered a security issue in Conductance which allows a remote attacker to access files readable to the Conductance user via a specially crafted GET request.

We've just published Conductance 0.4.1, which fixes this issue. We recommend all users update to this version immediately.

If you've installed directly from conductance.io, you can update by running conductance self-update.

If you're using a previous or custom version of Conductance, you can manually apply commit ebe1e2ef788b88470fb1b51ad68a9e77dbb236b0 to fix your local version. All versions of Conductance prior to 0.4.1 are vulnerable to this issue. Please get in touch if you have questions about applying this patch.