[geeklog-cvs] geeklog-1.3/docs changes.html,1.10,1.11 history,1.95,1.96
geeklog-cvs-admin at lists.geeklog.net
geeklog-cvs-admin at lists.geeklog.net
Wed May 28 05:36:20 EDT 2003
Update of /usr/cvs/geeklog/geeklog-1.3/docs
In directory internal.geeklog.net:/tmp/cvs-serv13898
Modified Files:
changes.html history
Log Message:
Synced list of changes with the 1.3.7sr2 release.
Index: changes.html
===================================================================
RCS file: /usr/cvs/geeklog/geeklog-1.3/docs/changes.html,v
retrieving revision 1.10
retrieving revision 1.11
diff -C2 -d -r1.10 -r1.11
*** changes.html 13 Jan 2003 13:22:37 -0000 1.10
--- changes.html 28 May 2003 09:36:17 -0000 1.11
***************
*** 23,27 ****
of files that have been changed since the last release.</p>
! <h2>Geeklog 1.3.7sr1</h2>
<h3>Security issues</h3>
--- 23,58 ----
of files that have been changed since the last release.</p>
! <h2><a name="changes137sr2">Geeklog 1.3.7sr2</a></h2>
!
! <h3>Security issues</h3>
!
! <p>The purpose of this release is to fix the following security issues.
! All users are <em>strongly</em> encouraged to upgrade to this version ASAP.</p>
! <ol>
! <li>It was possible to obtain valid session ids for every account on a Geeklog
! site, including the Admin account (reported by SCAN Associates).</li>
! <li>Using Internet Explorer, it was possible to upload an image with embedded
! PHP code and execute it (reported by SCAN Associates).</li>
! <li>Story permissions could override topic permissions, resulting in the display
! of stories to users who shouldn't have access to them (reported by Andrew
! Lawlor). This was already fixed with the new <tt>index.php</tt>, released
! 2003-05-15.</li>
! <li>Added a warning in <tt>config.php</tt> that adding any of the following
! tags to the list of allowable HTML can make the site vulnerable to
! scripting attacks:<br>
! <code><img> <span> <marquee> <script>
! <embed> <object> <iframe></code><br>
! (pointed out by Joat Dede).</li>
! </ol>
!
! <p>This update also includes fixes for the notorious "permission denied"
! error messages that some users would get in the Admin area (e.g. when trying
! to save a story and being "only" a user with Story Admin permissions).</p>
!
! <p>The full 1.3.7sr2 tarball also includes various new and updated language
! files (see the Changelog for details).</p>
!
!
! <h2><a name="changes137sr1">Geeklog 1.3.7sr1</a></h2>
<h3>Security issues</h3>
Index: history
===================================================================
RCS file: /usr/cvs/geeklog/geeklog-1.3/docs/history,v
retrieving revision 1.95
retrieving revision 1.96
diff -C2 -d -r1.95 -r1.96
*** history 21 May 2003 16:00:29 -0000 1.95
--- history 28 May 2003 09:36:17 -0000 1.96
***************
*** 13,21 ****
- Stories in the Daily Digest are now sorted by date (newest first, as on the
index page).
- - Fixed a problem with topic permissions in index.php: If the user doesn't
- have access to a topic, s/he shouldn't be able to see any stories posted under
- that topic, even if the story permissions would allow that.
- - The "Google paging" on the index page may have displayed the wrong number
- of pages for users who disabled topics in their display preferences.
- Changed handling of plugin comments slightly: Plugins will have to do the
'delete' operation on their comments on their own now since Geeklog can't
--- 13,16 ----
***************
*** 61,66 ****
- Fixed "Last 10 comments by user" in the user's profile which was missing the
comments to polls.
- - Fixed a bug that prevented certain right blocks from showing up when there
- were no stories for a topic.
- When a new user registeres, we need to check for a valid email address
first (before searching the database to see if that address is already in use)
--- 56,59 ----
***************
*** 86,90 ****
scaled image will be used as a thumbnail and link to the original image
(based on code provided by Alexander Schmacks).
! - In database.php:
+ Made sure we really display the last 10 backups (fix by Alexander Schmacks)
+ Display total number of backups in the directory
--- 79,83 ----
scaled image will be used as a thumbnail and link to the original image
(based on code provided by Alexander Schmacks).
! - In admin/database.php:
+ Made sure we really display the last 10 backups (fix by Alexander Schmacks)
+ Display total number of backups in the directory
***************
*** 117,124 ****
is now called Static Pages 1.3.
Use Geeklog's install script to upgrade from any previous version (1.1 or 1.2)
- - Fixed a typo in lib-sessions.php that caused the creation of unnecessary
- sessions (pointed out by Kobaz).
- - Fixed malformed cookie (used $_CONF['site_url'] instead of
- $_CONF['cookiedomain']), found & fixed by Jon Evans.
- Fixed mixing of comments from different plugins, found & fixed by Alan McKay.
- A theme can provide its own functions to render the site header and footer
--- 110,113 ----
***************
*** 144,150 ****
enabled or disabled (will need changes in admin/block/listblocks.thtml and
listitem.thtml template files of custom themes).
- - Fixed problem in the Admin editors for blocks, events, links, polls, stories,
- and topics, that would result in an "Access Denied" message under certain
- circumstances.
- Variable {rdf_url} (available in footer.thtml) holds the URL of the RDF file.
- What's Related block is now created dynamically.
--- 133,136 ----
***************
*** 164,167 ****
--- 150,185 ----
directory).
+
+ May 26, 2003 (1.3.7sr2)
+ ------------
+
+ Security issues:
+
+ 1. It was possible to obtain valid session ids for every account (reported by
+ SCAN Associates).
+ 2. Using Internet Explorer, it was possible to upload an image with embedded
+ PHP code and execute it (reported by SCAN Associates).
+ 3. Story permissions could override topic permissions, resulting in the display
+ of stories to users who shouldn't have access to them (reported by Andrew
+ Lawlor).
+ Note: This was already fixed with the new index.php, released 2003-05-15.
+ 4. Added a warning in config.php that adding any of the following tags to the
+ list of allowable HTML can make the site vulnerable to scripting attacks:
+ <img> <span> <marquee> <script> <embed> <object> <iframe>
+ (pointed out by Joat Dede)
+
+ - Fixed the bug in several of the admin areas (blocks, events, links, polls,
+ stories, topics) where admins without root access got a message stating
+ that they did not have the proper permissions when trying to save an object.
+ - Fixed a typo in lib-sessions.php that caused the creation of unnecessary
+ sessions (pointed out by Kobaz).
+ - Fixed malformed cookie (used $_CONF['site_url'] instead of
+ $_CONF['cookiedomain']) in lib-sessions.php, found & fixed by Jon Evans.
+ - Fixed a bug that prevented certain right blocks from showing up when there
+ were no stories for a topic.
+ - The "Google paging" on the index page may have displayed the wrong number
+ of pages for users who disabled topics in their display preferences.
+
+ - Updated Dutch language file, provided by Claudio.
- Updated French language file, provided by Jaques.
- Updated Hellenic (Greek) language file, provided by Access-=-Denied Networks
More information about the geeklog-cvs
mailing list