Hangfire Security AnnouncementsAn easy way to perform background processing in .NET and .NET Core applications. No separate process required, uses persistent storage.2024-03-15T11:09:47+00:00https://www.hangfire.ioodinserjhttps://twitter.com/odinserjhttps://www.hangfire.io/blog/2021/10/27/hangfire-1.7.26Hangfire 1.7.26odinserj2021-10-27T00:00:00+00:00releasesecurityhangfire-core<p>This security patch fixes a regression appeared in the previous version 1.7.25 that makes Dashboard UI available for remote requests in the default configuration, e.g. when no authentication filter specified. Please note that when custom authentication filter is defined as recommended in the documentation, everything works as expected, but upgrade is recommended in any case. Please read the <a href="https://github.com/HangfireIO/Hangfire/security/advisories/GHSA-7rq6-7gv8-c37h">GHSA-7rq6-7gv8-c37h</a> security advisory for details.</p>
https://www.hangfire.io/blog/2021/04/21/unaffected-by-codecov-breachUnaffected by Codecov Breachodinserj2021-04-21T00:00:00+00:00security<p>On Apr 15, 2021 Codecov (code coverage tool) team reported <a href="https://about.codecov.io/security-update/">Bash Uploader Security Update</a> post where they describe their recent security breach, a yet another attack on supply chain. Since we have used this software for Hangfire in the past, and since it’s still used by one of our projects, <a href="https://github.com/HangfireIO/Cronos">Cronos</a>, we began to understand what’s happened. And in short – we’ve used Codecov tool <a href="https://pypi.org/project/codecov/">from PyPI</a> (Python Package Index) that’s different from the Bash Uploader one and <a href="https://github.com/codecov/codecov-python/issues/316">is unaffected</a> by the recent breach, according to Codecov team.</p>
https://www.hangfire.io/blog/2019/05/23/hangfire-1.7.3Hangfire 1.7.3 and 1.6.26odinserj2019-05-23T00:00:00+00:00releasesecurityhangfire-core<p>This version contains <strong>security fixes</strong> to prevent possible XSS attacks as described in <a href="https://github.com/HangfireIO/Hangfire/issues/1441">#1441</a>. They don’t relate to user data submitted to Hangfire directly via method arguments, but it’s recommended to upgrade anyway. If you are using Hangfire 1.6, please upgrade to version <a href="https://github.com/HangfireIO/Hangfire/releases/tag/v1.6.26">1.6.26</a> instead.</p>
https://www.hangfire.io/blog/2018/07/21/hangfire-1.6.20Hangfire 1.6.20odinserj2018-07-21T00:00:00+00:00releasesecurityhangfire-core<p>This release <strong>contains fixes for security issues</strong> related to dashboard, so it is highly recommended to upgrade. <a href="https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet">Cross-Site Request Forgery</a> protection was added by using existing libraries, but methods are different across application frameworks:</p>
https://www.hangfire.io/blog/2015/11/05/hangfire-pro-1.4.2Hangfire.Pro.Redis 1.4.2odinserj2015-11-05T00:00:00+00:00releasesecurityhangfire-pro<p>This release fixes a security issue that caused Redis password leaks to log targets during the Hangfire Server startup. The password was also shown in dashboard. <strong>If you are using password-protected Redis</strong>, it is highly recommended to update to this release, and change Redis password.</p>