[qutebrowser-announce] qutebrowser v2.4.0 released: Critical RCE fix on Windows (CVE-2021-41146), plus small features/fixes
Florian Bruhin
me at the-compiler.org
Thu Oct 21 19:22:23 CEST 2021
Hey,
I'm happy to announce that I just released qutebrowser v2.4.0!
This release fixes a high-severity arbitrary command execution on
Windows via URL handlers, see the security advisory and commit message
for details:
https://github.com/qutebrowser/qutebrowser/security/advisories/GHSA-vw27-fwjf-5qxm
https://github.com/qutebrowser/qutebrowser/commit/8f46ba3f6dc7b18375f7aa63c48a1fe461190430
Windows users are urged to update as soon as possible. For everyone
else, this is a rather quiet release, with the most interesting
improvement perhaps being slightly improved Greasemonkey support.
Here's the full changelog:
Security
~~~~~~~~
- **CVE-2021-41146**: Fix arbitrary command execution on Windows via URL handler
argument injection. See the security advisory for details.
Added
~~~~~
- New `content.blocking.hosts.block_subdomains` setting which can be used to
disable the subdomain blocking for the hosts-based adblocker introduced in
v2.3.0.
- New `downloads.prevent_mixed_content` setting to prevent insecure
mixed-content downloads (true by default).
- New `--private` flag for `:tab-clone`, which clones a tab into a new private
window, mirroring the same flags for `:open` and `:tab-give`.
Fixed
~~~~~
- Switching tabs via mouse wheel scrolling now works properly on macOS. Set
`tabs.mousewheel_switching` to false if you prefer the previous behavior.
- Speculative fix for a crash when closing qutebrowser while a systray
notification is shown.
Changed
~~~~~~~
- Typing in the filename prompt now filters matching directories.
- When opening a file qutebrowser can't handle from a `file:///` directory
listing, qutebrowser now opens it with the default application rather than
displaying a download prompt.
- In Greasemonkey scripts, using "overrideMimeType" with GM_xmlhttpRequest is
now supported.
- `:hint --rapid` is now supported for the `tab` hinting target no matter what
`tabs.background` is set to, as there are various scenarios where tabs can
open in the background.
- New flags for the `qute-pass` userscript:
* `--unfiltered` to show all secrets, not just the one matching the current
URL.
* `--always-show-selection` to confirm the password to be entered even if
there's only a single match.
- In insert mode, `<Shift-Escape>` is now bound to `fake-key <Escape>` by
default, i.e., sends an Escape keypress to the website.
- Using `GM_setClipboard` in Greasemonkey scripts is now supported.
Florian
--
me at the-compiler.org | https://www.qutebrowser.org
https://bruhin.software/ | https://github.com/sponsors/The-Compiler/
GPG: 916E B0C8 FD55 A072 | https://the-compiler.org/pubkey.asc
I love long mails! | https://email.is-not-s.ms/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://listi.jpberlin.de/pipermail/qutebrowser-announce/attachments/20211021/82f57926/attachment.asc>
More information about the qutebrowser-announce
mailing list