ImageSharp vulnerability with Robust, effect on engine versions, launcher changes #25981
PJB3005
announced in
Hosting Announcements
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
The ImageSharp vulnerability also affected RobustToolbox. It took a bit longer to address on our side without completely nuking the hub though.
The fix has been backported to all Robust engine versions that are currently in use by a hubbed server. The launcher will automatically switch players to these new updated engine versions instead of the vulnerable ones. This should not cause any issues, but read on for details.
Background
Basically we have like ~25 different engine versions currently active on the hub, some of which more than a year old. We had to backport the fix to ALL of these, as simply updating the latest version and blocking old vulnerable versions would take down 95% of servers by player count.
Launcher Changes
The launcher now has the ability to "redirect" the engine version to a newer one than the server asks for. I backported the fix to all those 25 engine versions and marked them as redirected. This means that if your server is hosted on Robust 212.0.1, the client will actually use 212.0.2.
The difference between these versions should be absolutely tiny and there should be no problems. But if players suddenly start having issues, let me know.
Updating Your Servers
Because it's a vulnerability you're probably still better off updating your servers to fixed versions, though I'm not aware of any SS14 upstream features that could allow players or admins to exploit it. It might also help If something does go wrong for players (we try to do some degree of semver but we're not perfect).
You can do this by going into your
RobustToolbox
repo and checking out the newer tag for the version, and committing that. The tag should just be "+1". So if you're on212.0.1
, it'd be212.0.2
instead.Beta Was this translation helpful? Give feedback.
All reactions