[geeklog-cvs] geeklog-1.3/docs history,1.139,1.140
dhaun at geeklog.net
dhaun at geeklog.net
Sat Oct 25 12:47:46 EDT 2003
Update of /usr/cvs/geeklog/geeklog-1.3/docs
In directory geeklog_prod:/tmp/cvs-serv4113/docs
Modified Files:
history
Log Message:
Sync history with 1.3.7sr3, 1.3.8-1sr1, and 1.3.8-1sr2 releases.
Index: history
===================================================================
RCS file: /usr/cvs/geeklog/geeklog-1.3/docs/history,v
retrieving revision 1.139
retrieving revision 1.140
diff -C2 -d -r1.139 -r1.140
*** history 28 Sep 2003 13:23:42 -0000 1.139
--- history 25 Oct 2003 16:47:44 -0000 1.140
***************
*** 9,14 ****
- Added a check and warning message in admin/moderation.php if register_globals
is "off".
- - When trying to guess the value of $_CONF['cookiedomain'], we need to remove
- the port number from the URL, if there is one (bug #75).
- Changed function COM_isEmail() to use PEAR::Mail/RFC822 to check for valid
email addresses.
--- 9,12 ----
***************
*** 69,73 ****
- Words from a search query are now properly highlighted in comments when the
words occured only in the comments (but not in the story).
- - Fixed parse errors in the french_canada.php language file (bug #53).
- Integrated Vincent Furia's new comment code to use templates for comments
(instead of hard-coded HTML).
--- 67,70 ----
***************
*** 84,87 ****
--- 81,132 ----
+ October 14, 2003 (1.3.8-1sr2)
+ ----------------
+
+ Jouko Pynnonen found a way to trick the new "forgot password" feature,
+ introduced in 1.3.8, into letting an attacker change the password for _any_
+ account. This release addresses this issue - there were no other changes.
+
+ The only thing you need to do is to replace the file users.php on your site
+ with the file that comes with this tarball. It's suggested that you change
+ the version number in your config.php to '1.3.8-1sr2' afterwards.
+
+ Please note that only Geeklog 1.3.8, 1.3.8-1, and 1.3.8-1sr1 are affected,
+ as this feature did not exist in earlier versions.
+
+
+ October 12, 2003 (1.3.8-1sr1)
+ ----------------
+
+ This release is intended to address some of the security issues reported in
+ September and early October 2003.
+
+ 1. Includes Ulf Harnhammar's kses HTML filter to address possible Javascript
+ injections and CSS defacements.
+
+ When upgrading from an earlier version, please make sure to copy over the
+ $_CONF['user_html'] and $_CONF['admin_html'] arrays from the included
+ config.php to your own copy of that file.
+
+ 2. While almost all of the alleged SQL injection issues could not be
+ reproduced, this release includes an update to the MySQL class to not
+ report SQL errors in the browser any more (but only in Geeklog's error.log).
+ This will avoid disclosing any sensitive information as part of the error
+ message.
+
+ Please note that at the moment we do NOT recommend to use Geeklog with
+ MySQL 4.1 (which, at the time of this writing, is in alpha state and should
+ not be used on production sites anyway).
+
+ An upcoming release of Geeklog will address the remaining SQL issues,
+ including any problems with MySQL 4.1.
+
+ Other fixes (not security-related):
+ - When trying to guess the value of $_CONF['cookiedomain'], we need to remove
+ the port number from the URL, if there is one (bug #75).
+ - The full 1.3.8-1sr1 tarball also includes updated French (Canada) and
+ Turkish language files.
+
+
August 9, 2003 (1.3.8-1)
--------------
***************
*** 409,412 ****
--- 454,485 ----
Please see docs/staticpages.html for details.
+
+
+ October 12, 2003 (1.3.7sr3)
+ ----------------
+
+ This release is intended to address some of the security issues reported in
+ September and early October 2003.
+
+ 1. Includes Ulf Harnhammar's kses HTML filter to address possible Javascript
+ injections and CSS defacements.
+
+ When upgrading from an earlier version, please make sure to copy over the
+ $_CONF['user_html'] and $_CONF['admin_html'] arrays from the included
+ config.php to your own copy of that file.
+
+ 2. While almost all of the alleged SQL injection issues could not be
+ reproduced, this release includes an update to the MySQL class to not
+ report SQL errors in the browser any more (but only in Geeklog's error.log).
+ This will avoid disclosing any sensitive information as part of the error
+ message.
+
+ Please note that at the moment we do NOT recommend to use Geeklog with
+ MySQL 4.1 (which, at the time of this writing, is in alpha state and should
+ not be used on production sites anyway).
+
+ An upcoming release of Geeklog will address the remaining SQL issues,
+ including any problems with MySQL 4.1.
+
May 26, 2003 (1.3.7sr2)
More information about the geeklog-cvs
mailing list