I have just released TurboGears 0.8.8. The only change from 0.8.7 is the requirement of CherryPy 2.1.1.
The staticfilter of CherryPy 2.1.0 has a serious security flaw that would allow people to retrieve files from “..”. You should update as soon as possible:
- You can run “easy_install CherryPy>=2.1.1” as the simplest update path
- You can also use the standard TurboGears upgrade instructions: http://www.turbogears.org/download/upgrade.html
Thanks to Remi Delon and the others on the CherryPy team for a fast fix and release on this issue!