[geeklog-cvs] geeklog-1.3/public_html/docs changes.html,1.42,1.43 history,1.263,1.264 install.html,1.36,1.37

dhaun at iowaoutdoors.org dhaun at iowaoutdoors.org
Fri Dec 31 11:14:46 EST 2004 

Update of /var/cvs/geeklog-1.3/public_html/docs
In directory www:/tmp/cvs-serv6274/public_html/docs

Modified Files:
	changes.html history install.html 
Log Message:
Updated documentation


Index: install.html
===================================================================
RCS file: /var/cvs/geeklog-1.3/public_html/docs/install.html,v
retrieving revision 1.36
retrieving revision 1.37
diff -C2 -d -r1.36 -r1.37
*** install.html	19 Dec 2004 14:19:31 -0000	1.36
--- install.html	31 Dec 2004 16:14:44 -0000	1.37
***************
*** 140,144 ****
  			<li>Unpack the tarball *within* your web tree by running the following in your shell (this assumes you have ssh access and that you are working with the tarball <i>on the designated server </i>- this can be locally or hosted elsewhere):<br>
  				<br>
! 				<code>tar -zxvf geeklog-1.3.11rc1.tar.gz</code><br>
  				<br>
  				<b>FTP, Windows Users:</b> unpack the tarball on your <i>local computer</i> and upload the result to your designated server. Everything uploads as ASCII except the images.<br>
--- 140,144 ----
  			<li>Unpack the tarball *within* your web tree by running the following in your shell (this assumes you have ssh access and that you are working with the tarball <i>on the designated server </i>- this can be locally or hosted elsewhere):<br>
  				<br>
! 				<code>tar -zxvf geeklog-1.3.11.tar.gz</code><br>
  				<br>
  				<b>FTP, Windows Users:</b> unpack the tarball on your <i>local computer</i> and upload the result to your designated server. Everything uploads as ASCII except the images.<br>

Index: changes.html
===================================================================
RCS file: /var/cvs/geeklog-1.3/public_html/docs/changes.html,v
retrieving revision 1.42
retrieving revision 1.43
diff -C2 -d -r1.42 -r1.43
*** changes.html	22 Dec 2004 17:26:00 -0000	1.42
--- changes.html	31 Dec 2004 16:14:44 -0000	1.43
***************
*** 25,30 ****
  <h2><a name="changes1311">Geeklog 1.3.11</a></h2>
  
! <p>Geeklog 1.3.11 is a bugfix release over Geeklog 1.3.10 and is meant to replace 1.3.10. The change in the version number was necessary since one of the bugfixes involves a change in the database.</p>
  
  <ul>
  <li>Fixes the length of the 'sid' field in the gl_comments table. Using story IDs longer than 20 characters prevented comment posts from being associated with the story.</li>
--- 25,44 ----
  <h2><a name="changes1311">Geeklog 1.3.11</a></h2>
  
! <p>Geeklog 1.3.11 is a <strong>bugfix and security release</strong> over Geeklog 1.3.10 and is meant to replace 1.3.10. The change in the version number was necessary since one of the bugfixes involves a change in the database.</p>
! 
! <h3>Security issues</h3>
! <ol>
! <li>It was possible to submit stories anonymously even if anonymous submissions
!     were turned off in <tt>config.php</tt> (reported by Barry Wong).<br>
!     These stories still ended up in the submission queue, though, unless you
!     disabled it in <tt>config.php</tt>.</li>
! <li>Some of the parameters in link and event submissions weren't filtered,
!     leaving them open to potential SQL injections.</li>
! <li>The links for the What's Related block were created from the unfiltered
!     story text, opening the possibility of XSS attacks (reported by Vincent
!     Furia).</li>
! </ol>
  
+ <h3>Bugfixes</h3>
  <ul>
  <li>Fixes the length of the 'sid' field in the gl_comments table. Using story IDs longer than 20 characters prevented comment posts from being associated with the story.</li>
***************
*** 38,42 ****
  </ul>
  
! <p>Upgrading from Geeklog 1.3.10 should be relatively painless, as there weren't any changes in the themes, language files, or config.php over 1.3.10.</p>
  
  
--- 52,56 ----
  </ul>
  
! <p>We strongly advise users of Geeklog 1.3.10 to upgrade to 1.3.11 ASAP. Upgrading should be relatively painless, as there weren't any changes in the themes, language files, or config.php over 1.3.10.</p>
  
  
***************
*** 185,188 ****
--- 199,214 ----
  (see the <tt>docs/history</tt> file for proper credits). Thank you!</p>
  
+ <h2><a name="changes139sr3">Geeklog 1.3.9sr3</a></h2>
+ <p>This release addresses the following security issues:</p>
+ 
+ <ol>
+ <li>It was possible to submit stories anonymously even if anonymous submissions
+     were turned off in <tt>config.php</tt> (reported by Barry Wong).<br>
+     These stories still ended up in the submission queue, though, unless you
+     disabled it in <tt>config.php</tt>.</li>
+ <li>Some of the parameters in link and event submissions weren't filtered,
+     leaving them open to potential SQL injections.</li>
+ </ol>
+ 
  
  <h2><a name="changes139sr2">Geeklog 1.3.9sr2</a></h2>

Index: history
===================================================================
RCS file: /var/cvs/geeklog-1.3/public_html/docs/history,v
retrieving revision 1.263
retrieving revision 1.264
diff -C2 -d -r1.263 -r1.264
*** history	22 Dec 2004 17:26:00 -0000	1.263
--- history	31 Dec 2004 16:14:44 -0000	1.264
***************
*** 1,4 ****
--- 1,42 ----
  GeekLog History/Changes:
  
+ Dec 31, 2004 (1.3.11)
+ ------------
+ 
+ Geeklog 1.3.11 addresses the following security issues:
+ 
+ 1. It was possible to submit stories anonymously even if anonymous submissions
+    were turned off in config.php (reported by Barry Wong).
+    These stories still ended up in the submission queue, though, unless you
+    disabled it in config.php.
+ 2. Some of the parameters in link and event submissions weren't filtered,
+    leaving them open to potential SQL injections.
+ 3. The links for the What's Related block were created from the unfiltered story
+    text, opening the possibility of XSS attacks (reported by Vincent Furia).
+ 
+ Bugfixes:
+ 
+ - Added a missing stripslashes() call for the topic name in the What's Related
+   block (bug #351) [Dirk]
+   (affected file: system/lib-story.php)
+ - Fixed problems in the story editor when editing plain-text posts with
+   uploaded images (bug #356) [Dirk]
+   (affected file: public_html/admin/story.php)
+ - When changing a story ID, update the story ID in any comments to that story,
+   too (bug #357) [Dirk]
+   (affected file: public_html/admin/story.php)
+ - Fixed handling of autotags that started with the same substring, e.g. for
+   2 tags 'mytag' and 'mytagtwo', the second tag would not be recognized
+   (reported by Dr. Shakagee) [Dirk]
+   (affected file: system/lib-plugins.php)
+ - Fixed caching of $_GROUPS [Dirk]
+   (affected files: system/lib-security.php, public_html/lib-common.php)
+ - Made a minor optimization to save one SQL request when displaying the comment
+   bar for anonymous users [Dirk]
+   (affected file: public_html/lib-common.php)
+ - Updated Slovenian language file, provided by gape.
+   (affected file: language/slovenian.php)
+ 
+ 
  Dec 22, 2004 (1.3.11rc1)
  ------------
***************
*** 525,528 ****
--- 563,579 ----
  
  
+ Dec 31, 2004 (1.3.9sr3)
+ ------------
+ 
+ This release addresses 2 security issues:
+ 
+ 1. It was possible to submit stories anonymously even if anonymous submissions
+    were turned off in config.php (reported by Barry Wong).
+    These stories still ended up in the submission queue, though, unless you
+    disabled it in config.php.
+ 2. Some of the parameters in link and event submissions weren't filtered,
+    leaving them open to potential SQL injections.
+ 
+ 
  Oct 8, 2004 (1.3.9sr2)
  -----------

More information about the geeklog-cvs mailing list