We have released v3.3.12 which contains a high-severity security fix. If you use server-side LaTeX functionality using TeXLive (this is the case if you have XELATEX_PATH set in yourindico.conf), then you are vulnerable and need to upgrade to 3.3.12 ASAP. As a workaround, you can also set XELATEX_PATH = None (or comment out the existing line) and restart the indico-uwsgi and indico-celery services.
Please see our security advisory for more details.
In particular, we strongly recommend you to enable containerization for the LaTeX renderer (using podman), which isolates it from the rest of the system. See the docs for details - it’s very easy and from now on the only recommended/supported way of using LaTeX. Please note that this may be slightly trickier if you deploy Indico using Docker. You may need to run the Indico container in “privileged” mode so it can launch (unprivileged) containers inside.