We’ve just released Shiny Server and Shiny Server Pro 1.4.6. Relative to 1.4.2, our previously blogged-about version, the 1.4.6 release primarily includes bug fixes, and mitigations for low-severity security issues found by penetration testing. The full list of changes is after the jump.
If you’re running a Shiny Server Pro release that is older than 1.4.3 and are configured to use SSL/TLS, it’s especially important that you upgrade, as the versions of Node.js that are bundled with Shiny Server Pro 1.4.3 and earlier include vulnerable versions of OpenSSL.
Shiny Server (Open Source): Download now
Shiny Server Pro 1.4.6
Bug fix release.
- Fix a bug where a 404 response on some URLs could cause the server to exit with an unhandled exception.
Shiny Server Pro 1.4.5
Security release to fix minor issues raised in penetration test results.
disable_login_autocompletedirective that can be used to instruct browsers not to attempt to autocomplete on the login screen. Note that servers can only suggest this behavior to browsers (and in particular, Google Chrome chooses not to comply, as its developers argue that disabling autocomplete decreases security rather than increasing it).
Add opt-in clickjacking protection via
frame_optionsdirective. Login and /admin URLs now served with
X-Frame-Options: DENY(the former can be opted out with an
Fix open redirection on login. Previously, a URL created with malicious intent could cause you to go to an arbitrary URL after successful login. Now, it is only possible to be redirected to a path on Shiny Server.
Add Cross-Site Request Forgery (CSRF) protection to login and other POST operations.
Shiny Server Pro 1.4.4
Fix fatal EBADF error that could cause server crashes.
Updated PAM integration to resolve bug with asynchronous PAM modules like pam_ldap, pam_vas, and nss_ldap.
Upgrade to Node.js v0.10.46 (security patches).
Shiny Server Pro 1.4.3
Added proxied authentication mechanism via the
Upgrade to Node.js v0.10.45 (primarily for updated OpenSSL).