Etherpad 1.2.9 fixes "massive security issue"
Etherpad Lite was recently security audited by Mozilla. The developers say the result of that audit was an urgent effort from them to fix "gaping loopholes" in the collaborative editor's security and, in turn, release version 1.2.9 of Etherpad Lite. Issues addressed include a major security problem where an attacker could submit content as another user and a problem with unescaped user input.
Calling the 1.2.9 version "the most secure version released", the developers point out they still have work to do as the latest patches have caused some issues with "user experience and import functionality". They say that "this shouldn't hold you back from updating", indicating that, even though they are lacking a security advisory and rating scheme, the issues are serious enough to update despite the flaws.
Etherpad Lite is the successor to the original Etherpad and is implemented as a JavaScript application with a Node.js backend, making it more lightweight and stable than the original application. Interested users can try an online demo of the Apache v2 licensed code.
Details of the changes in Etherpad Lite 1.2.9 can be found in the change log. Updates can be git pull
ed from the GitHub repository or downloaded from the project's site for Linux/Mac or Windows.
(djwm)