Security issue in very old versions of Shotgun Desktop


A security issue has been brought to our attention in Shotgun Desktop’s startup code. It will only impact clients who are using versions of tk-desktop older than v2.1.8 in their site configuration (site.yml). If you are using v2.1.8 or more recent, you will not be impacted by this update. If you are unsure which version you are using, launch Shotgun Desktop, click on the user icon at the bottom right and select About.... If the engine line says v2.1.8 or more, you’re good and can stop reading now.

If are using something older than v2.1.8 and rely on browser integration, the upcoming update to Shotgun Desktop’s startup code will remove support for it. The security hole is present in a legacy code path that we can’t afford to support, since v2.1.8 was released more than 3 years ago. According to our metrics, nobody is using a version of tk-desktop older than v2.2.4. So chances are none of you are impacted by this change.

If for some reason you are and can upgrade to a more recent version of tk-desktop for your site configuration, that would be the best option. If you are not able, you can download this zip file, unzip it and set SGTK_DESKTOP_STARTUP_DEBUG_LOCATION to the folder where the code was unzipped. This will ensure that you keep using an older versions of tk-framework-desktopstartup while you figure out how to upgrade to a more recent copy of tk-desktop. Obviously, upgrading to the latest version of tk-desktop is the best and most secure option.

Please do not hesitate to reach us through support if you have any questions.