Hi
I’m trying to find a list of security fixes per release in order to determine how urgent upgrading the version of servicestack we have deployed. Where can I find this information?
There isn’t a list of security fixes as they’re very rare, you’d have to go through the release notes to see changes we’ve made to Auth.
The last reported vulnerability we fixed was in v4.5.10:
https://docs.servicestack.net/releases/v4.5.10#vulnerability-with-object-properties
There was a XSS fix in v5.2.0 for the Auto HTML pages with a malformed URL, but we couldn’t repro it with a modern browser which prevented sending the malformed URL and the Auto HTML is a developer page, not a user facing page.
We’ve made a number of changes to Auth over the years as published in the Release Notes, but they’re not in response to a reported vulnerability, just in following security best practices, e.g. in the latest v5.5 GET Authenticate Requests are disabled by default which mitigates them from being visible in logs.
1 Like