Version 0.2.1 has been released and is a critical security update. Due to a flaw in the implementation of the SearchEntities method in the tree package, an attacker could exfiltrate an unredacted copy of the entity database. This would be difficult for an organization to detect, as tools like nsscache perform full searches regularly.

The bug has been present since version 0.0.12, and affects all versions until 0.2.1. The complete list is as follows:

Version 0.0.12 was originally released on 2018-12-16.

The changelog, however short, is included below for v0.2.1:

* 9030c1c - (tag: v0.2.1) internal/tree: Ensure searched entities are sanitized
>> Home