CVE-2021-41146: Arbitrary command execution in qutebrowser on Windows via URL handler

I'm happy to announce that I just released qutebrowser v2.4.0!

This release fixes a high-severity arbitrary command execution on Windows via URL handlers, see the security advisory and commit message for details.

Windows users are urged to update as soon as possible. For everyone else, this is a rather quiet release, with the most interesting improvement perhaps being slightly improved Greasemonkey support.

The full changelog is available on the release page, also see the Reddit post for discussion.

All posts

  1. qutebrowser moving to Libera Chat
  2. Paying it forward
  3. Paving the road towards qutebrowser v2.0
  4. 2019 qutebrowser crowdfunding - reminder
  5. qutebrowser meetup Berlin (2019-11-28)
  6. 2019 qutebrowser crowdfunding with shirts, stickers and more!
  7. Current qutebrowser roadmap and next crowdfunding
  8. Crowdfunding 2019 ideas
  9. Happy birthday, qutebrowser!
  10. CVE-2018-10895: Remote code execution due to CSRF in qutebrowser
  11. qutebrowser v1.3.3 released (security update!)
  12. qutebrowser v1.2.0 released!
  13. T-Shirts shipped, initial implementation of per-domain settings
  14. Current state of per-domain settings
  15. qutebrowser v1.0.0 released!
  16. qutebrowser v1.0.0 is coming closer
  17. New config merged!
  18. Config revolution - Part 1 finished
  19. Refactoring more things, a working YAML config, and more!
  20. Refactoring all the things!
  21. First week
  22. First 2 days
  23. Getting started again
  24. Second qutebrowser crowdfunding launched!
  25. qutebrowser v0.10.0 released
  26. Wrapping up and looking at the future
  27. Days 39/40/41: Lots of features!
  28. Days 37/38: Hints in master, tests
  29. Day 36: Hints!
  30. Days 33-35: Mouse functionality, and rewriting hints
  31. Days 31/32: More web elements
  32. Days 29/30: Web elements
  33. Days 27/28: Settings and web inspector
  34. Day 24-26: Refactoring the WebElement API
  35. Day 21-23: After Europython and releases
  36. Day 19/20: Bugs everywhere!
  37. qutebrowser v0.8.0 released
  38. Day 18: Javascript
  39. Day 17: Printing and searching
  40. Sending out qutebrowser and pytest stickers
  41. Day 15/16: Merged!
  42. Day 13/14: Almost merged!
  43. Day 12: Tests running!
  44. Day 10/11: Refactoring!
  45. Day 9: A bit of everything
  46. Day 8: More fixing and pytest sprint/training
  47. Day 7: Fixing things
  48. Day 6: Branching off
  49. qutebrowser v0.7.0 released
  50. Day 4: Playing whack-a-mole
  51. Day 3: Last pull requests and managing requirement files
  52. Day 2: More pull requests and nicer test output
  53. Day 1: Merging pull requests, and a stupid bug
  54. About and Timeline