[geeklog-cvs] geeklog-1.3/docs changes.html,1.10,1.11 history,1.95,1.96

geeklog-cvs-admin at lists.geeklog.net geeklog-cvs-admin at lists.geeklog.net
Wed May 28 05:36:20 EDT 2003 

Update of /usr/cvs/geeklog/geeklog-1.3/docs
In directory internal.geeklog.net:/tmp/cvs-serv13898

Modified Files:
	changes.html history 
Log Message:
Synced list of changes with the 1.3.7sr2 release.


Index: changes.html
===================================================================
RCS file: /usr/cvs/geeklog/geeklog-1.3/docs/changes.html,v
retrieving revision 1.10
retrieving revision 1.11
diff -C2 -d -r1.10 -r1.11
*** changes.html	13 Jan 2003 13:22:37 -0000	1.10
--- changes.html	28 May 2003 09:36:17 -0000	1.11
***************
*** 23,27 ****
  of files that have been changed since the last release.</p>
  
! <h2>Geeklog 1.3.7sr1</h2>
  
  <h3>Security issues</h3>
--- 23,58 ----
  of files that have been changed since the last release.</p>
  
! <h2><a name="changes137sr2">Geeklog 1.3.7sr2</a></h2>
! 
! <h3>Security issues</h3>
! 
! <p>The purpose of this release is to fix the following security issues.
! All users are <em>strongly</em> encouraged to upgrade to this version ASAP.</p>
! <ol>
! <li>It was possible to obtain valid session ids for every account on a Geeklog
!     site, including the Admin account (reported by SCAN Associates).</li>
! <li>Using Internet Explorer, it was possible to upload an image with embedded
!     PHP code and execute it (reported by SCAN Associates).</li>
! <li>Story permissions could override topic permissions, resulting in the display
!     of stories to users who shouldn't have access to them (reported by Andrew
!     Lawlor). This was already fixed with the new <tt>index.php</tt>, released
!     2003-05-15.</li>
! <li>Added a warning in <tt>config.php</tt> that adding any of the following
!     tags to the list of allowable HTML can make the site vulnerable to
!     scripting attacks:<br>
!     <code><img> <span> <marquee> <script>
!           <embed> <object> <iframe></code><br>
!     (pointed out by Joat Dede).</li>
! </ol>
! 
! <p>This update also includes fixes for the notorious "permission denied"
! error messages that some users would get in the Admin area (e.g. when trying
! to save a story and being "only" a user with Story Admin permissions).</p>
! 
! <p>The full 1.3.7sr2 tarball also includes various new and updated language
! files (see the Changelog for details).</p>
! 
! 
! <h2><a name="changes137sr1">Geeklog 1.3.7sr1</a></h2>
  
  <h3>Security issues</h3>

Index: history
===================================================================
RCS file: /usr/cvs/geeklog/geeklog-1.3/docs/history,v
retrieving revision 1.95
retrieving revision 1.96
diff -C2 -d -r1.95 -r1.96
*** history	21 May 2003 16:00:29 -0000	1.95
--- history	28 May 2003 09:36:17 -0000	1.96
***************
*** 13,21 ****
  - Stories in the Daily Digest are now sorted by date (newest first, as on the
    index page).
- - Fixed a problem with topic permissions in index.php: If the user doesn't
-   have access to a topic, s/he shouldn't be able to see any stories posted under
-   that topic, even if the story permissions would allow that.
- - The "Google paging" on the index page may have displayed the wrong number
-   of pages for users who disabled topics in their display preferences.
  - Changed handling of plugin comments slightly: Plugins will have to do the
    'delete' operation on their comments on their own now since Geeklog can't
--- 13,16 ----
***************
*** 61,66 ****
  - Fixed "Last 10 comments by user" in the user's profile which was missing the
    comments to polls.
- - Fixed a bug that prevented certain right blocks from showing up when there
-   were no stories for a topic.
  - When a new user registeres, we need to check for a valid email address
    first (before searching the database to see if that address is already in use)
--- 56,59 ----
***************
*** 86,90 ****
    scaled image will be used as a thumbnail and link to the original image
    (based on code provided by Alexander Schmacks).
! - In database.php:
    + Made sure we really display the last 10 backups (fix by Alexander Schmacks)
    + Display total number of backups in the directory
--- 79,83 ----
    scaled image will be used as a thumbnail and link to the original image
    (based on code provided by Alexander Schmacks).
! - In admin/database.php:
    + Made sure we really display the last 10 backups (fix by Alexander Schmacks)
    + Display total number of backups in the directory
***************
*** 117,124 ****
    is now called Static Pages 1.3.
    Use Geeklog's install script to upgrade from any previous version (1.1 or 1.2)
- - Fixed a typo in lib-sessions.php that caused the creation of unnecessary
-   sessions (pointed out by Kobaz).
- - Fixed malformed cookie (used $_CONF['site_url'] instead of
-   $_CONF['cookiedomain']), found & fixed by Jon Evans.
  - Fixed mixing of comments from different plugins, found & fixed by Alan McKay.
  - A theme can provide its own functions to render the site header and footer
--- 110,113 ----
***************
*** 144,150 ****
    enabled or disabled (will need changes in admin/block/listblocks.thtml and
    listitem.thtml template files of custom themes).
- - Fixed problem in the Admin editors for blocks, events, links, polls, stories,
-   and topics, that would result in an "Access Denied" message under certain
-   circumstances.
  - Variable {rdf_url} (available in footer.thtml) holds the URL of the RDF file.
  - What's Related block is now created dynamically.
--- 133,136 ----
***************
*** 164,167 ****
--- 150,185 ----
    directory).
  
+ 
+ May 26, 2003 (1.3.7sr2)
+ ------------
+ 
+ Security issues:
+ 
+ 1. It was possible to obtain valid session ids for every account (reported by
+    SCAN Associates).
+ 2. Using Internet Explorer, it was possible to upload an image with embedded
+    PHP code and execute it (reported by SCAN Associates).
+ 3. Story permissions could override topic permissions, resulting in the display
+    of stories to users who shouldn't have access to them (reported by Andrew
+    Lawlor).
+    Note: This was already fixed with the new index.php, released 2003-05-15.
+ 4. Added a warning in config.php that adding any of the following tags to the
+    list of allowable HTML can make the site vulnerable to scripting attacks:
+    <img> <span> <marquee> <script> <embed> <object> <iframe>
+    (pointed out by Joat Dede)
+ 
+ - Fixed the bug in several of the admin areas (blocks, events, links, polls,
+   stories, topics) where admins without root access got a message stating
+   that they did not have the proper permissions when trying to save an object.
+ - Fixed a typo in lib-sessions.php that caused the creation of unnecessary
+   sessions (pointed out by Kobaz).
+ - Fixed malformed cookie (used $_CONF['site_url'] instead of
+   $_CONF['cookiedomain']) in lib-sessions.php, found & fixed by Jon Evans.
+ - Fixed a bug that prevented certain right blocks from showing up when there
+   were no stories for a topic.
+ - The "Google paging" on the index page may have displayed the wrong number
+   of pages for users who disabled topics in their display preferences.
+ 
+ - Updated Dutch language file, provided by Claudio.
  - Updated French language file, provided by Jaques.
  - Updated Hellenic (Greek) language file, provided by Access-=-Denied Networks

More information about the geeklog-cvs mailing list