The Indie Stone announced a blog post concerning a security vulnerability discovered for Project Zomboid. The vulnerability was reported to the devs via a responsible member of the PZ community, whom merely wanted to bring it to the attention of the company. You can shamble you way on over to their website for a look at the official message, here.
Kudos to The Indie Stone for such swift action and resolutions. Currently, the live and main unstable branch have been patched, and as the message says, other legacy branches will be patched and restored as in option as they work through the remaining builds. This of course with some minor exceptions for legacy or unstable branches that were scheduled for deletion.
All in all, I believe they took an appropriate course of action given the circumstances. Now, I fully expect there to be at least some community push back. Especially for anyone playing on a version selected for deletion with the upcoming release of 42.14. Alas, you can’t please everyone.
Scavenge well, and stay safe, Survivors.
-Hobbit
Addressing a Security Vulnerability
As many of you have noticed, a number of the builds have disappeared from the Game Versions & Betas tab on Steam. Yesterday we were made aware of a significant security vulnerability in the game thanks to one of our modders who responsibly reported the issue to us. It’s worth noting that this vulnerability only affected mods, and we have received no reports of anyone being affected in a malicious way because of this vulnerability, nor have we seen it being exploited in the wild, but given the potential for harm it was imperative we acted immediately.
Our team immediately jumped on this to investigate both the seriousness of the issue and to patch it as soon as possible. We made the decision to patch the main stable and unstable branches first, and then to immediately remove any vulnerable version of the game from circulation until they could be patched. We were unable to give a heads up regarding this issue, as doing so would have put a spotlight on the vulnerability for bad actors to exploit, and for similar reasons we won’t be going into details about the nature of the vulnerability. This was not a decision made lightly, but given the severity of the exploit, it was one we felt necessary.
We fully intend to restore most of the old legacy builds, and our team is working hard on that now, however one branch will not be restored. When we announced the release of 42.14 we had mentioned that the 42.13.1 branch would be deleted in the near future, and intended to do so with the release of 42.15. Since we are putting the final touches on 42.15, and intend to release that to unstable next week barring any unexpected issues, it will remain deleted as diverting developer resources to patching a branch that was due to be deleted in under a week anyway wouldn’t be an efficient use of resources. It would be much more beneficial to focus on getting 42.15 out the door.
We would also like to clarify some confusion around the outdatedunstable branch as we have seen a lot of people assume that outdatedunstable would be permanently fixed as 42.13.2, which was never our intention. The purpose of outdatedunstable is to lag one patch behind the unstable branch to act as a fall back for the unstable branch should there be significant issues, and to give people time to wrap up their save. As we intend to push 42.15 out next week, it was always slated to be updated to 42.14.1 anyway, it was just updated a few days earlier than expected.
We are sorry for the delay in putting together an official response to this matter, but as you may imagine we have been scrambling trying to understand the issue, coordinating between the team, working out the best way forward, and implementing that plan. It was not something we had time to plan a response for, and we did not wish to put out incorrect or misleading information regarding an issue so serious, nor did we want to make make any sort of official announcement before every avenue of the vulnerability was patched.
Thank you for your patience and understanding.
