[geeklog-cvs] geeklog-1.3/docs changes.html,1.10.2.1,1.10.2.1.2.1 history,1.63.2.1,1.63.2.1.2.1
dhaun at geeklog.net
dhaun at geeklog.net
Sun Oct 12 08:31:35 EDT 2003
Update of /usr/cvs/geeklog/geeklog-1.3/docs
In directory geeklog_prod:/tmp/cvs-serv24014
Modified Files:
Tag: geeklog_1_3_7sr2_1
changes.html history
Log Message:
Updated documentation.
Index: changes.html
===================================================================
RCS file: /usr/cvs/geeklog/geeklog-1.3/docs/changes.html,v
retrieving revision 1.10.2.1
retrieving revision 1.10.2.1.2.1
diff -C2 -d -r1.10.2.1 -r1.10.2.1.2.1
*** changes.html 26 May 2003 21:11:23 -0000 1.10.2.1
--- changes.html 12 Oct 2003 12:31:33 -0000 1.10.2.1.2.1
***************
*** 23,26 ****
--- 23,38 ----
of files that have been changed since the last release.</p>
+ <h2><a name="changes137sr3">Geeklog 1.3.7sr3</a></h2>
+
+ <p>The purpose of this release is to address some of the security issues reported in September and early October 2003. If you don't plan to upgrade to the latest version of Geeklog (1.3.8-1sr1, at the time of this writing), we strongly suggest you upgrade to at least 1.3.7sr3 instead.</p>
+
+ <h3>Security issues</h3>
+ <ol>
+ <li>By including Ulf Harnhammar's <a href="http://sourceforge.net/projects/kses/" title="kses homepage">kses</a> HTML filter, this release addresses a variety of possible Javascript injection and CSS defacement issues.</li>
+ <li>Details of SQL errors will not be reported in the browser any more (but only in Geeklog's error.log file). This will avoid disclosing any sensitive information as part of the error message (which is so far the only problem we have found with the alleged SQL injection issues that have been reported).
+ </ol>
+
+ <p>Please note that at the moment we do <strong>not</strong> recommend to use Geeklog with MySQL 4.1 (which, at the time of this writing, is in alpha state and should not be used on production sites anyway). An upcoming release of Geeklog will include more thorough filtering of SQL injections attempts, thus also fixing the problems with MySQL 4.1.</p>
+
<h2><a name="changes137sr2">Geeklog 1.3.7sr2</a></h2>
Index: history
===================================================================
RCS file: /usr/cvs/geeklog/geeklog-1.3/docs/history,v
retrieving revision 1.63.2.1
retrieving revision 1.63.2.1.2.1
diff -C2 -d -r1.63.2.1 -r1.63.2.1.2.1
*** history 26 May 2003 21:11:23 -0000 1.63.2.1
--- history 12 Oct 2003 12:31:33 -0000 1.63.2.1.2.1
***************
*** 1,4 ****
--- 1,31 ----
GeekLog History/Changes:
+ October 12, 2003 (1.3.7sr3)
+ ----------------
+
+ This release is intended to address some of the security issues reported in
+ September and early October 2003.
+
+ 1. Includes Ulf Harnhammar's kses HTML filter to address possible Javascript
+ injections and CSS defacements.
+
+ When upgrading from an earlier version, please make sure to copy over the
+ $_CONF['user_html'] and $_CONF['admin_html'] arrays from the included
+ config.php to your own copy of that file.
+
+ 2. While almost all of the alleged SQL injection issues could not be
+ reproduced, this release includes an update to the MySQL class to not
+ report SQL errors in the browser any more (but only in Geeklog's error.log).
+ This will avoid disclosing any sensitive information as part of the error
+ message.
+
+ Please note that at the moment we do NOT recommend to use Geeklog with
+ MySQL 4.1 (which, at the time of this writing, is in alpha state and should
+ not be used on production sites anyway).
+
+ An upcoming release of Geeklog will address the remaining SQL issues,
+ including any problems with MySQL 4.1.
+
+
May 26, 2003 (1.3.7sr2)
------------
More information about the geeklog-cvs
mailing list