Security alert for all versions of StatusNet
Yvan Boily of the Mozilla Security team alerted us to a cross-site scripting (XSS) attack on versions of StatusNet from 0.8.x up. We have released new versions of the stable code (0.9.x branch) and upcoming 1.0 release (1.0.x branch). All StatusNet users are encouraged to upgrade to either version 0.9.9 or 1.0.0beta2 as soon as possible. Until upgrading is possible, it's recommended to disable realtime browser updates with the Meteor plugin or other realtime plugins.
StatusNet's cloud services and StatusNet OnDemand have been updated to the corrected code.
Thanks to to Yvan and the rest of the Mozilla Security team for this bug report. The attack was identified as part of the Mozilla Security Bug Bounty Program, a great program. mozilla.status.net is a great community of Mozilla Drumbeat folks on our Open Source platform, so it's nice to have it covered by the bug bounty program.