static filekeys

9001 released this 06 Oct 18:25

· 764 commits to hovudstraum since this release

fcc3336

read-only demo server at https://a.ocv.me/pub/demo/
docker image ╱ similar software ╱ client testbed

no vulnerabilities since 2023-07-23

there is a discord server with an @everyone in case of future important updates
v1.8.7 (2023-07-23) - CVE-2023-38501 - reflected XSS
v1.8.2 (2023-07-14) - CVE-2023-37474 - path traversal (first CVE)
- all serverlogs reviewed so far (5 public servers) showed no signs of exploitation

new features

#52 add alternative filekey generator:
- volflag fka changes the calculation to ignore filesize and inode-number, only caring about the absolute-path on the filesystem and the --fk-salt
- good for linking to markdown files which might be edited, but reduces security a tiny bit
add warning on startup if --fk-salt is too weak (for example when it was upgraded from before v1.7.6)
- removed the filekey upgrade feaure to ensure a weak fk-salt is not selected; a new filekey will be generated from scratch on startup if necessary

other changes

pyftpdlib upgraded to 1.5.8
copyparty.exe built on python 3.11.6
- the exe in this release will be replaced with an 3.12.0 exe as soon as pillow adds 3.12 support

⚠️ not the latest version!

Assets 7