[Geocoding] Bugfix releases for Nominatim 4.2, 4.1, 4.0 and 3.7
Sarah Hoffmann
lonvia at denofr.de
Wed Feb 22 10:22:33 UTC 2023
Hi,
today we have released versions 4.2.1, 4.1.2, 4.0.2 and 3.7.3 of Nominatim
which fix a cross-site scripting issue in the API.
As part of a feature request[1]
we were made aware that Nominatim's debug output improperly quotes user input,
so that any javascript code may be injected through the URL. The bug-fix
releases fix this issue. Given that Nominatim does not handle sensitive user
data, the severity is only medium even though it can be exploited very easily.
You should update nonetheless, especially when running a Nominatim instance in
a sensitive environment.
Updating is straightforward. Simply build and install the new version.
If you are running a 4.1 installation, please check which patch version
you are running. If you are on 4.1.99, then you need to update to 4.2.1
directly.
Kind regards
Sarah
[1] https://github.com/mediagis/nominatim-docker/issues/425
More information about the Geocoding
mailing list