Beanstalkd 1.4.6 Security Release Notes

This is a security fix and bugfix release.

As always, there will be no incompatible protocol changes until version 2.0. A client written for version 1.4.6 will work unmodified with any later 1.x release of beanstalkd.

What’s New

• The put command now discards the entire job body before returning JOB_TOO_BIG. Previously, it interpreted the job body as commands. This was a potential security hole, where malicious users could craft job payload data to inject commands without cooperation from the beanstalk client application.
• Fix issue #40 by requiring an absolute path when -b is used with -d.

Full list of changes in this release (includes authorship information):
http://github.com/kr/beanstalkd/compare/v1.4.5...v1.4.6

Our Urls

Download the 1.4.6 tarball directly:
https://github.com/downloads/kr/beanstalkd/beanstalkd-1.4.6.tar.gz

Learn all about beanstalk:
http://kr.github.com/beanstalkd/

Talk about beanstalk development or use at:
http://groups.google.com/group/beanstalk-talk

Bugs

Please report any bugs to:
http://github.com/kr/beanstalkd/issues

Keith Rarick kr@xph.us