TurboGears 0.8.8 security fix release

Jan 10, 2006 18:21 · 83 words · 1 minute read

I have just released TurboGears 0.8.8. The only change from 0.8.7 is the requirement of CherryPy 2.1.1.

The staticfilter of CherryPy 2.1.0 has a serious security flaw that would allow people to retrieve files from “..”. You should update as soon as possible:

You can run “easy_install CherryPy>=2.1.1” as the simplest update path
You can also use the standard TurboGears upgrade instructions: http://www.turbogears.org/download/upgrade.html

Thanks to Remi Delon and the others on the CherryPy team for a fast fix and release on this issue!