On Sun, Jun 24, 2012 at 06:47:09PM +0200, Stefan Husmann wrote:
Am 24.06.2012 18:39, schrieb Dave Reisner:
On Sun, Jun 24, 2012 at 06:33:31PM +0200, Stefan Husmann wrote:
Am 24.06.2012 16:55, schrieb Lukas Fleischer:
Hi!
I just wanted to let everybody know that I'm about to apply a patch to our AUR setup that fixes some CSRF vulnerabilities. This will probably break most (all?) AUR helpers (mis)using the AUR HTML interface. AUR helpers, that only make use of the RPC interface, won't be affected.
I recommend using the web interface until the affected programs are fixed. When will this happen? Shouldn't it be announced on archlinux.org or language specific counterparts?
Regards Stefan
It's already happened. Uploaders who don't cope with this will see an error:
Invalid token for user action.
Yes, it would have been nice to see a little more lead time on this but honestly the change isn't really so severe.
d So I guess, burp's new version already reflects this?
Yep. 1.6.9 sends the extra authentication token needed for this change.