[geeklog-cvs] geeklog-1.3/docs changes.html,1.10,1.10.2.1 history,1.63,1.63.2.1

geeklog-cvs-admin at lists.geeklog.net geeklog-cvs-admin at lists.geeklog.net
Mon May 26 17:11:25 EDT 2003 

Update of /usr/cvs/geeklog/geeklog-1.3/docs
In directory internal.geeklog.net:/tmp/cvs-serv23588/docs

Modified Files:
      Tag: geeklog_1_3_7sr1_1
	changes.html history 
Log Message:
Updated documentation


Index: changes.html
===================================================================
RCS file: /usr/cvs/geeklog/geeklog-1.3/docs/changes.html,v
retrieving revision 1.10
retrieving revision 1.10.2.1
diff -C2 -d -r1.10 -r1.10.2.1
*** changes.html	13 Jan 2003 13:22:37 -0000	1.10
--- changes.html	26 May 2003 21:11:23 -0000	1.10.2.1
***************
*** 23,27 ****
  of files that have been changed since the last release.</p>
  
! <h2>Geeklog 1.3.7sr1</h2>
  
  <h3>Security issues</h3>
--- 23,58 ----
  of files that have been changed since the last release.</p>
  
! <h2><a name="changes137sr2">Geeklog 1.3.7sr2</a></h2>
! 
! <h3>Security issues</h3>
! 
! <p>The purpose of this release is to fix the following security issues.
! All users are <em>strongly</em> encouraged to upgrade to this version ASAP.</p>
! <ol>
! <li>It was possible to obtain valid session ids for every account on a Geeklog
!     site, including the Admin account (reported by SCAN Associates).</li>
! <li>Using Internet Explorer, it was possible to upload an image with embedded
!     PHP code and execute it (reported by SCAN Associates).</li>
! <li>Story permissions could override topic permissions, resulting in the display
!     of stories to users who shouldn't have access to them (reported by Andrew
!     Lawlor). This was already fixed with the new <tt>index.php</tt>, released
!     2003-05-15.</li>
! <li>Added a warning in <tt>config.php</tt> that adding any of the following
!     tags to the list of allowable HTML can make the site vulnerable to
!     scripting attacks:<br>
!     <code><img> <span> <marquee> <script>
!           <embed> <object> <iframe></code><br>
!     (pointed out by Joat Dede).</li>
! </ol>
! 
! <p>This update also includes fixes for the notorious "permission denied"
! error messages that some users would get in the Admin area (e.g. when trying
! to save a story and being "only" a user with Story Admin permissions).</p>
! 
! <p>The full 1.3.7sr2 tarball also includes various new and updated language
! files (see the Changelog for details).</p>
! 
! 
! <h2><a name="changes137sr1">Geeklog 1.3.7sr1</a></h2>
  
  <h3>Security issues</h3>

Index: history
===================================================================
RCS file: /usr/cvs/geeklog/geeklog-1.3/docs/history,v
retrieving revision 1.63
retrieving revision 1.63.2.1
diff -C2 -d -r1.63 -r1.63.2.1
*** history	13 Jan 2003 13:22:37 -0000	1.63
--- history	26 May 2003 21:11:23 -0000	1.63.2.1
***************
*** 1,4 ****
--- 1,43 ----
  GeekLog History/Changes:
  
+ May 26, 2003 (1.3.7sr2)
+ ------------
+ 
+ Security issues:
+ 
+ 1. It was possible to obtain valid session ids for every account (reported by
+    SCAN Associates).
+ 2. Using Internet Explorer, it was possible to upload an image with embedded
+    PHP code and execute it (reported by SCAN Associates).
+ 3. Story permissions could override topic permissions, resulting in the display
+    of stories to users who shouldn't have access to them (reported by Andrew
+    Lawlor).
+    Note: This was already fixed with the new index.php, released 2003-05-15.
+ 4. Added a warning in config.php that adding any of the following tags to the
+    list of allowable HTML can make the site vulnerable to scripting attacks:
+    <img> <span> <marquee> <script> <embed> <object> <iframe>
+    (pointed out by Joat Dede)
+ 
+ - Fixed the bug in several of the admin areas (blocks, events, links, polls,
+   stories, topics) where admins without root access got a message stating
+   that they did not have the proper permissions when trying to save an object.
+ - Fixed malformed cookie (used $_CONF['site_url'] instead of
+   $_CONF['cookiedomain']) in lib-sessions.php, found & fixed by Jon Evans.
+ 
+ - Updated Dutch language file, provided by Claudio.
+ - Updated French language file, provided by Jaques.
+ - Updated Hellenic (Greek) language file, provided by Access-=-Denied Networks
+ - Updated Spanish and Spanish (Argentina) language files,
+   provided by Fernando Bernardini
+ - New Portuguese language file, provided by Mario Seabra
+ - New Bulgarian language file, provided by lachko
+ - New Turkish language file, provided by Sinan Ussakli
+ - New Slovenian language file, provided by gape
+ - New Slovak language file, provided by Rado
+ - New Romanian language file, provided by Dan Gheorghitza
+ - New Chinese language file (gb2312 encoding), provided by Crocodile King
+ - New Czech language file, provided by Hermes Trismegistos
+ 
+ 
  January 13, 2003 (1.3.7sr1)
  ----------------

More information about the geeklog-cvs mailing list