Impact
Read the Docs 5.14.0 fixes an issue where that affected new code that removed multiple slashes in URL paths. The issue allowed the creation of hyperlinks that looked like they would go to a documentation domain on Read the Docs (either *.readthedocs.io or a custom docs domain) but instead went to a different domain.
This issue was reported by Splunk after it was reported by a security audit. It was also reported independently by Alex Gaynor of the Cryptography project. Thanks again for both of them reporting it privately.
Patches
The problem has been fixed and deployed on readthedocs.org and readthedocs.com. For users who depend on the Read the Docs code line for a private instance of Read the Docs, you are encouraged to upgrade to the latest version as soon as possible.
For more information
If you have any questions or comments about this advisory:
alex Analyst
Impact
Read the Docs 5.14.0 fixes an issue where that affected new code that removed multiple slashes in URL paths. The issue allowed the creation of hyperlinks that looked like they would go to a documentation domain on Read the Docs (either
*.readthedocs.ioor a custom docs domain) but instead went to a different domain.This issue was reported by Splunk after it was reported by a security audit. It was also reported independently by Alex Gaynor of the Cryptography project. Thanks again for both of them reporting it privately.
Patches
The problem has been fixed and deployed on readthedocs.org and readthedocs.com. For users who depend on the Read the Docs code line for a private instance of Read the Docs, you are encouraged to upgrade to the latest version as soon as possible.
For more information
If you have any questions or comments about this advisory: