Headline
CVE-2022-27920: Release 10.1.0 · Issue #728 · kiwix/libkiwix
libkiwix 10.0.0 and 10.0.1 allows XSS in the built-in webserver functionality via the search suggestions URL parameter. This is fixed in 10.1.0.
Following remark from @legoktm at #721 (comment)
Thanks, so a597870 was only included in 10.0.0 (no released Debian versions are affected, just unstable).
Could we do a 10.0.2 release with just this cherry-picked? I note that even library.kiwix.org is vulnerable to this. Or if 10.1.0 is coming pretty soon then waiting wouldn’t be too bad.
And we should also get a CVE ID assigned for this vulnerability, @kelson42 if you haven’t gone through this process before I’m happy to help out.
I also believe we should not wait to much to make the release of 10.1.0.
- Secure the CI is green on git
master - Kiwix-Build is OK
- Update the Changelog
- Update version
- Close current milestone and create new one incrementaly (a priori a minor version)
- Create a tag on git
- Secure new source/sbinaries are published on http://download.kiwix.org
- Update the Github release with the Changelog
- Create new empty entry in Changelog (placeholder for future entries)
- Publicize these new versions