<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="chrome=1"> <link rel="stylesheet" href="/stylesheets/styles.css"> <link rel="stylesheet" href="/stylesheets/pygment_trac.css"> <link rel="shortcut icon" href="/favicon.ico" type="image/x-icon"> <script src="/javascripts/scale.fix.js"></script> <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=no"><!--[if lt IE 9]><script src="//html5shiv.googlecode.com/svn/trunk/html5.js"></script><![endif]--> <title>2019 - pump.io blog</title> <!-- TODO: apparently this technically isn't allowed to be relative but it seems to work fine, soooo...--> <link rel="alternate" type="application/rss+xml" href="index.rss"> </head> <body> <div class="wrapper"> <header> <h1 class="header"><a href="/">pump.io</a></h1> <p class="header">Social server with an ActivityStreams API</p> <ul> <li><a class="buttons" href="/tryit.html">Try It Now</a></li> <li class="download"><a class="buttons" href="https://pumpio.readthedocs.io/en/latest/sysadmins.html#installation-instructions">Install</a></li> <li><a class="buttons github" href="https://github.com/pump-io/pump.io">View On GitHub</a></li> </ul> <p class="header">This project is maintained by <a class="header name" href="https://github.com/pump-io">pump.io contributors</a></p> </header> <section> <div class="h-feed"> <h2 class="p-name">Posts from 2019</h2> <p id="postsFrom">Show only <a href="/blog/2019/10/">October</a> </p> <article class="h-entry" itemscope="itemscope" itemtype="http://schema.org/BlogPosting"><a href="/blog/2019/10/pump.io-dompurify-security-fixes-available"> <h2 class="p-name">pump.io DOMPurify security fixes available</h2></a> <p class="post-metadata">Published by AJ Jordan on <a href="/blog/2019/10/">October</a> 15, <a href="/blog/2019/">2019</a> in <a class="p-category" href="/blog/category/releases/">releases</a> and <a class="p-category" href="/blog/category/security/">security</a> </p> <div class="e-content"><p>Recently the cross-site-scripting sanitization library that pump.io uses, <a href="https://github.com/cure53/DOMPurify">DOMPurify</a>, published several security advisories for mXSS vulnerabilities affecting browsers based on the Blink rendering engine - you can find the latest one, for example, <a href="https://lists.ruhr-uni-bochum.de/pipermail/dompurify-security/2019-October/000012.html">here</a>. As we've done in the past, the pump.io project is publishing security releases to ensure that everyone is using the latest version of DOMPurify. Per our <a href="https://github.com/pump-io/pump.io/wiki/Security">security support policy</a>, we are providing patches for the current stable release and the previous stable release:</p> <ol> <li>pump.io 5.1.2 has been updated to pump.io 5.1.3</li> <li>pump.io 5.0.2 has been updated to pump.io 5.0.3</li> </ol> <p>As these are security releases we encourage administrators to upgrade as soon as possible. Both 5.1.3 and 5.0.3 are drop-in replacements for their predecessors. If you have pump.io 5.1 installed via npm - our recommended configuration - you can upgrade with:</p> <pre><code>$ npm install -g pump.io@5 </code></pre> <p>If you're on pump.io 5.0, we recommend that you also run the above command to upgrade to 5.1 - it's a drop-in replacement for 5.0. However, if you want to stick with 5.0 for the time being, you can install a patched version with:</p> <pre><code>$ npm install -g pump.io@5.0 </code></pre> <p>Note that if you have a source-based install, the above commands won't work and you will need to upgrade however you usually do - this will depend on how exactly you have pump.io set up.</p> <p>If you need help, or if you have questions about these security releases, get in touch with <a href="https://github.com/pump-io/pump.io/wiki/Community">the community</a>.</p> </div> </article> <hr> <div id="pages-footer"> <p>Page 1 of 1</p> </div> </div> </section> <footer> <p><small>Hosted on <a href="https://pages.github.com">GitHub Pages</a> using the Dinky theme</small></p> </footer> </div><!--[if !IE]><script>fixScale(document);</script><![endif]--> </body> </html>