[geeklog-cvs] geeklog-1.3/docs history,1.139,1.140

dhaun at geeklog.net dhaun at geeklog.net
Sat Oct 25 12:47:46 EDT 2003 

Update of /usr/cvs/geeklog/geeklog-1.3/docs
In directory geeklog_prod:/tmp/cvs-serv4113/docs

Modified Files:
	history 
Log Message:
Sync history with 1.3.7sr3, 1.3.8-1sr1, and 1.3.8-1sr2 releases.


Index: history
===================================================================
RCS file: /usr/cvs/geeklog/geeklog-1.3/docs/history,v
retrieving revision 1.139
retrieving revision 1.140
diff -C2 -d -r1.139 -r1.140
*** history	28 Sep 2003 13:23:42 -0000	1.139
--- history	25 Oct 2003 16:47:44 -0000	1.140
***************
*** 9,14 ****
  - Added a check and warning message in admin/moderation.php if register_globals
    is "off".
- - When trying to guess the value of $_CONF['cookiedomain'], we need to remove
-   the port number from the URL, if there is one (bug #75).
  - Changed function COM_isEmail() to use PEAR::Mail/RFC822 to check for valid
    email addresses.
--- 9,12 ----
***************
*** 69,73 ****
  - Words from a search query are now properly highlighted in comments when the
    words occured only in the comments (but not in the story).
- - Fixed parse errors in the french_canada.php language file (bug #53).
  - Integrated Vincent Furia's new comment code to use templates for comments
    (instead of hard-coded HTML).
--- 67,70 ----
***************
*** 84,87 ****
--- 81,132 ----
  
  
+ October 14, 2003 (1.3.8-1sr2)
+ ----------------
+ 
+ Jouko Pynnonen found a way to trick the new "forgot password" feature,
+ introduced in 1.3.8, into letting an attacker change the password for _any_
+ account. This release addresses this issue - there were no other changes.
+ 
+ The only thing you need to do is to replace the file users.php on your site
+ with the file that comes with this tarball. It's suggested that you change
+ the version number in your config.php to '1.3.8-1sr2' afterwards.
+ 
+ Please note that only Geeklog 1.3.8, 1.3.8-1, and 1.3.8-1sr1 are affected,
+ as this feature did not exist in earlier versions.
+ 
+ 
+ October 12, 2003 (1.3.8-1sr1)
+ ----------------
+ 
+ This release is intended to address some of the security issues reported in
+ September and early October 2003.
+ 
+ 1. Includes Ulf Harnhammar's kses HTML filter to address possible Javascript
+    injections and CSS defacements.
+ 
+    When upgrading from an earlier version, please make sure to copy over the
+    $_CONF['user_html'] and $_CONF['admin_html'] arrays from the included
+    config.php to your own copy of that file.
+ 
+ 2. While almost all of the alleged SQL injection issues could not be
+    reproduced, this release includes an update to the MySQL class to not
+    report SQL errors in the browser any more (but only in Geeklog's error.log).
+    This will avoid disclosing any sensitive information as part of the error
+    message.
+ 
+    Please note that at the moment we do NOT recommend to use Geeklog with
+    MySQL 4.1 (which, at the time of this writing, is in alpha state and should
+    not be used on production sites anyway).
+ 
+    An upcoming release of Geeklog will address the remaining SQL issues,
+    including any problems with MySQL 4.1.
+ 
+ Other fixes (not security-related):
+ - When trying to guess the value of $_CONF['cookiedomain'], we need to remove
+   the port number from the URL, if there is one (bug #75).
+ - The full 1.3.8-1sr1 tarball also includes updated French (Canada) and
+   Turkish language files.
+ 
+ 
  August 9, 2003 (1.3.8-1)
  --------------
***************
*** 409,412 ****
--- 454,485 ----
  
  Please see docs/staticpages.html for details.
+ 
+ 
+ October 12, 2003 (1.3.7sr3)
+ ----------------
+ 
+ This release is intended to address some of the security issues reported in
+ September and early October 2003.
+ 
+ 1. Includes Ulf Harnhammar's kses HTML filter to address possible Javascript
+    injections and CSS defacements.
+ 
+    When upgrading from an earlier version, please make sure to copy over the
+    $_CONF['user_html'] and $_CONF['admin_html'] arrays from the included
+    config.php to your own copy of that file.
+ 
+ 2. While almost all of the alleged SQL injection issues could not be
+    reproduced, this release includes an update to the MySQL class to not
+    report SQL errors in the browser any more (but only in Geeklog's error.log).
+    This will avoid disclosing any sensitive information as part of the error
+    message.
+ 
+    Please note that at the moment we do NOT recommend to use Geeklog with
+    MySQL 4.1 (which, at the time of this writing, is in alpha state and should
+    not be used on production sites anyway).
+ 
+    An upcoming release of Geeklog will address the remaining SQL issues,
+    including any problems with MySQL 4.1.
+ 
  
  May 26, 2003 (1.3.7sr2)

More information about the geeklog-cvs mailing list