Skip to content

Post-HoHoHolidays release - Aka the hangover release
Compare
Choose a tag to compare
@Rafiot Rafiot released this 10 Jan 17:10
· 400 commits to main since this release
v1.3.1
This tag was signed with the committer’s verified signature.
Rafiot Raphaël Vinot
GPG key ID: 32E4E1C133B3792F
Learn about vigilant mode.
fcf2c8a

Security patch

This releases fixes CVE-2023-22898 where a nested archive (aka ZIP Bomb) could trigger a DOS to the platform, especially to the extractor module. Thank you @kurgans0 for reporting it.

New features

  • Limit the amount of archives to recursively extract from a file, and the maximal depth (Fixes CVE-2023-22898)
  • Display link to VT report instead of text in the report

Changes

  • Many improvements in the dfVFS extractor, support files with multiple filesystems
  • Improve mime types synonyms
  • Improve notification email (set reply-to if possible, insert full link in email body.
  • Bump all dependencies

Bug fixes

  • Fix exception on edge cases when using the dfVFS extractor
  • Only allow submitting one file at the time - the UI was allowing multiple files by mistake, it wasn't supposed to be supported and causes UI issues. Supporting multiple upload will be implemented later.

Contributors

kurgans0
Assets 2
Loading