[geeklog-cvs] geeklog-1.3/docs changes.html,1.18,1.18.2.1 history,1.120,1.120.2.1

dhaun at geeklog.net dhaun at geeklog.net
Sun Oct 12 08:33:33 EDT 2003 

Update of /usr/cvs/geeklog/geeklog-1.3/docs
In directory geeklog_prod:/tmp/cvs-serv24040

Modified Files:
      Tag: geeklog_1_3_8_1_1
	changes.html history 
Log Message:
Updated documentation.


Index: changes.html
===================================================================
RCS file: /usr/cvs/geeklog/geeklog-1.3/docs/changes.html,v
retrieving revision 1.18
retrieving revision 1.18.2.1
diff -C2 -d -r1.18 -r1.18.2.1
*** changes.html	9 Aug 2003 11:47:41 -0000	1.18
--- changes.html	12 Oct 2003 12:33:31 -0000	1.18.2.1
***************
*** 23,26 ****
--- 23,45 ----
  of files that have been changed since the last release.</p>
  
+ <h2><a name="changes138-1sr1">Geeklog 1.3.8-1sr1</a></h2>
+ 
+ <p>The purpose of this release is to address some of the security issues reported in September and early October 2003. We strongly recommend upgrading to this version.</p>
+ 
+ <h3>Security issues</h3>
+ <ol>
+ <li>By including Ulf Harnhammar's <a href="http://sourceforge.net/projects/kses/" title="kses homepage">kses</a> HTML filter, this release addresses a variety of possible Javascript injection and CSS defacement issues.</li>
+ <li>Details of SQL errors will not be reported in the browser any more (but only in Geeklog's error.log file). This will avoid disclosing any sensitive information as part of the error message (which is so far the only problem we have found with the alleged SQL injection issues that have been reported).
+ </ol>
+ 
+ <p>Please note that at the moment we do <strong>not</strong> recommend to use Geeklog with MySQL 4.1 (which, at the time of this writing, is in alpha state and should not be used on production sites anyway). An upcoming release of Geeklog will include more thorough filtering of SQL injections attempts, thus also fixing the problems with MySQL 4.1.</p>
+ 
+ <h3>Other fixes</h3>
+ <ul>
+ <li>Fixed the auto-detection of the value for the <code>$_CONF['cookiedomain']</code> variable if the URL included a port number (such as <tt>example.com:8080</tt>). This will fix the login problems some users were reporting.</li>
+ <li>The full 1.3.8-1sr1 tarball also includes updated French (Canada) and Turkish language files.</li>
+ </ul>
+ 
+ 
  <h2><a name="changes138-1">Geeklog 1.3.8-1</a></h2>
  

Index: history
===================================================================
RCS file: /usr/cvs/geeklog/geeklog-1.3/docs/history,v
retrieving revision 1.120
retrieving revision 1.120.2.1
diff -C2 -d -r1.120 -r1.120.2.1
*** history	9 Aug 2003 11:47:41 -0000	1.120
--- history	12 Oct 2003 12:33:31 -0000	1.120.2.1
***************
*** 1,4 ****
--- 1,37 ----
  GeekLog History/Changes:
  
+ October 12, 2003 (1.3.8-1sr1)
+ ----------------
+ 
+ This release is intended to address some of the security issues reported in
+ September and early October 2003.
+ 
+ 1. Includes Ulf Harnhammar's kses HTML filter to address possible Javascript
+    injections and CSS defacements.
+ 
+    When upgrading from an earlier version, please make sure to copy over the
+    $_CONF['user_html'] and $_CONF['admin_html'] arrays from the included
+    config.php to your own copy of that file.
+ 
+ 2. While almost all of the alleged SQL injection issues could not be
+    reproduced, this release includes an update to the MySQL class to not
+    report SQL errors in the browser any more (but only in Geeklog's error.log).
+    This will avoid disclosing any sensitive information as part of the error
+    message.
+ 
+    Please note that at the moment we do NOT recommend to use Geeklog with
+    MySQL 4.1 (which, at the time of this writing, is in alpha state and should
+    not be used on production sites anyway).
+ 
+    An upcoming release of Geeklog will address the remaining SQL issues,
+    including any problems with MySQL 4.1.
+ 
+ Other fixes (not security-related):
+ - When trying to guess the value of $_CONF['cookiedomain'], we need to remove
+   the port number from the URL, if there is one (bug #75).
+ - The full 1.3.8-1sr1 tarball also includes updated French (Canada) and
+   Turkish language files.
+ 
+ 
  August 9, 2003 (1.3.8-1)
  --------------

More information about the geeklog-cvs mailing list