Security release 1.3.1 of pretix
We yesterday discovered that pretix contained a bug with security implications. We therefore just released version 1.3.1 of pretix that fixes the problem and recommend that you to update your installation as soon as possible. If you are a customer of our hosted service, the vulnerability is already fixed for you and you do not need to take action.
pretix allows event organizers to define custom questions that are presented to ticket buyers upon checkout. Those questions can then be attached to one or more products.
Due to a software bug, there was a rare edge-case in which it could happen that questions defined within one event could get attached to products of a different event, leading to confusing behaviour for both organizers and ticket buyers.
Primarily, this is a sofware bug, but since it leads to information leakage between events, we are treating it as a security vulnerability.
Only question titles were leaked and no private information could be accessed and no data could be modified by unauthorized users. The error only occured in the edge case of questions of events on the same server that are not attached to any products. Given the fact that most self-hosted pretix installations only host events that are operated by the same team and a very small number of people, we assess the severity of this issue as low.
Affected versions and fixes
All pretix installations running versions between 1.1.0 and 1.3.0 are affected. We just released updates for all stable branches on PyPI that fix the problem:
The new docker images will appear on Docker Hub over the next few hours. The 1.3.1 release also contains a minor fix for a bug that leads to the attendee name not being printed on the ticket if printing the QR code content is disabled.
We strongly recommend that you always run the latest version of pretix, as every release contains useful and important bugfixes, even if they are not security related.
If you want to keep updated about bugfix and security releases, you should follow this blog closely. A RSS feed is available and we also announce every blogpost on twitter.
We take the security of our product very seriously and always go the extra mile to make sure you stay safe. As we are humans, security issues unfortunately still might occur from time to time. We do everything we can to find and fix them as timely as we can. If you notice any security problems or have any questions on this topic, please contact us in private at firstname.lastname@example.org. We will always treat your message with the appropriate priority.