[geeklog-cvs] geeklog-1.3/docs changes.html,1.10,1.10.2.1 history,1.63,1.63.2.1
geeklog-cvs-admin at lists.geeklog.net
geeklog-cvs-admin at lists.geeklog.net
Mon May 26 17:11:25 EDT 2003
Update of /usr/cvs/geeklog/geeklog-1.3/docs
In directory internal.geeklog.net:/tmp/cvs-serv23588/docs
Modified Files:
Tag: geeklog_1_3_7sr1_1
changes.html history
Log Message:
Updated documentation
Index: changes.html
===================================================================
RCS file: /usr/cvs/geeklog/geeklog-1.3/docs/changes.html,v
retrieving revision 1.10
retrieving revision 1.10.2.1
diff -C2 -d -r1.10 -r1.10.2.1
*** changes.html 13 Jan 2003 13:22:37 -0000 1.10
--- changes.html 26 May 2003 21:11:23 -0000 1.10.2.1
***************
*** 23,27 ****
of files that have been changed since the last release.</p>
! <h2>Geeklog 1.3.7sr1</h2>
<h3>Security issues</h3>
--- 23,58 ----
of files that have been changed since the last release.</p>
! <h2><a name="changes137sr2">Geeklog 1.3.7sr2</a></h2>
!
! <h3>Security issues</h3>
!
! <p>The purpose of this release is to fix the following security issues.
! All users are <em>strongly</em> encouraged to upgrade to this version ASAP.</p>
! <ol>
! <li>It was possible to obtain valid session ids for every account on a Geeklog
! site, including the Admin account (reported by SCAN Associates).</li>
! <li>Using Internet Explorer, it was possible to upload an image with embedded
! PHP code and execute it (reported by SCAN Associates).</li>
! <li>Story permissions could override topic permissions, resulting in the display
! of stories to users who shouldn't have access to them (reported by Andrew
! Lawlor). This was already fixed with the new <tt>index.php</tt>, released
! 2003-05-15.</li>
! <li>Added a warning in <tt>config.php</tt> that adding any of the following
! tags to the list of allowable HTML can make the site vulnerable to
! scripting attacks:<br>
! <code><img> <span> <marquee> <script>
! <embed> <object> <iframe></code><br>
! (pointed out by Joat Dede).</li>
! </ol>
!
! <p>This update also includes fixes for the notorious "permission denied"
! error messages that some users would get in the Admin area (e.g. when trying
! to save a story and being "only" a user with Story Admin permissions).</p>
!
! <p>The full 1.3.7sr2 tarball also includes various new and updated language
! files (see the Changelog for details).</p>
!
!
! <h2><a name="changes137sr1">Geeklog 1.3.7sr1</a></h2>
<h3>Security issues</h3>
Index: history
===================================================================
RCS file: /usr/cvs/geeklog/geeklog-1.3/docs/history,v
retrieving revision 1.63
retrieving revision 1.63.2.1
diff -C2 -d -r1.63 -r1.63.2.1
*** history 13 Jan 2003 13:22:37 -0000 1.63
--- history 26 May 2003 21:11:23 -0000 1.63.2.1
***************
*** 1,4 ****
--- 1,43 ----
GeekLog History/Changes:
+ May 26, 2003 (1.3.7sr2)
+ ------------
+
+ Security issues:
+
+ 1. It was possible to obtain valid session ids for every account (reported by
+ SCAN Associates).
+ 2. Using Internet Explorer, it was possible to upload an image with embedded
+ PHP code and execute it (reported by SCAN Associates).
+ 3. Story permissions could override topic permissions, resulting in the display
+ of stories to users who shouldn't have access to them (reported by Andrew
+ Lawlor).
+ Note: This was already fixed with the new index.php, released 2003-05-15.
+ 4. Added a warning in config.php that adding any of the following tags to the
+ list of allowable HTML can make the site vulnerable to scripting attacks:
+ <img> <span> <marquee> <script> <embed> <object> <iframe>
+ (pointed out by Joat Dede)
+
+ - Fixed the bug in several of the admin areas (blocks, events, links, polls,
+ stories, topics) where admins without root access got a message stating
+ that they did not have the proper permissions when trying to save an object.
+ - Fixed malformed cookie (used $_CONF['site_url'] instead of
+ $_CONF['cookiedomain']) in lib-sessions.php, found & fixed by Jon Evans.
+
+ - Updated Dutch language file, provided by Claudio.
+ - Updated French language file, provided by Jaques.
+ - Updated Hellenic (Greek) language file, provided by Access-=-Denied Networks
+ - Updated Spanish and Spanish (Argentina) language files,
+ provided by Fernando Bernardini
+ - New Portuguese language file, provided by Mario Seabra
+ - New Bulgarian language file, provided by lachko
+ - New Turkish language file, provided by Sinan Ussakli
+ - New Slovenian language file, provided by gape
+ - New Slovak language file, provided by Rado
+ - New Romanian language file, provided by Dan Gheorghitza
+ - New Chinese language file (gb2312 encoding), provided by Crocodile King
+ - New Czech language file, provided by Hermes Trismegistos
+
+
January 13, 2003 (1.3.7sr1)
----------------
More information about the geeklog-cvs
mailing list