Liferea News Reader 1.14.1 Released with A Critical Security Fix

For users of Liferea feed reader, new version 1.14.1 and 1.12.10 were released few days ago. All users are urged to upgrade due to an important security fix.

Liferea is a free open-source GTK3 feed reader that brings together all of the content from your favorite subscriptions into a simple interface. It can synchronizes with Reedah, TinyTinyRSS, and Google Reader API.

Just few days ago, it release new point releases for its 1.14 and 1.12 release series with an important security fix.

It’s CVE-2023-1350 Remote code execution on feed enrichment.

If you have enabled “Extract full content from HTML5 and Google AMP” for one or more of your feed subscriptions it is possible for a an attacker to inject a script command that would run any command on your system.

All users are recommended to upgrade to the new release with this bug-fix.

Advertisements

Without the upgrade, user can alternatively disable “Extract full content from HTML5 and Google AMP” for all the feeds via following steps:

  1. Close Liferea
  2. Open ~/.config/liferea/feedlist.opml in an editor
  3. Replace all occurences of html5Extract="true" with an empty string

How to Install Liferea 1.14.1 in Ubuntu:

For most Linux, Liferea is available to install as Flatpak package, that runs in sandbox.

Ubuntu users can also use the unofficial PPA, which so far supports for Ubuntu 20.04, Ubuntu 22.04, Ubuntu 22.10, Linux Mint 20/21, and their based systems.

1. First, press Ctrl+Alt+T on keyboard to open terminal. When it opens, run command to add the PPA:

sudo add-apt-repository ppa:ubuntuhandbook1/apps

Type user password (no asterisk feedback) and hit Enter to continue.

2. Then, install the Liferea package by running command:

sudo apt install liferea

Linux Mint user may have to run sudo apt update first to update cache.

Uninstall:

The PPA also contains some other software packages, so you may remove it immediately after installed Liferea.

To do so, either run the command below in terminal, or remove the source line under “Other Software” tab in Software & Updates tool.

sudo add-apt-repository --remove ppa:ubuntuhandbook1/apps

To remove the feed reader package, simply run command:

sudo apt remove --autoremove liferea-data liferea

That’s all. Enjoy!