[geeklog-cvs] geeklog-1.3/public_html/docs changes.html,1.42,1.43 history,1.263,1.264 install.html,1.36,1.37
dhaun at iowaoutdoors.org
dhaun at iowaoutdoors.org
Fri Dec 31 11:14:46 EST 2004
Update of /var/cvs/geeklog-1.3/public_html/docs
In directory www:/tmp/cvs-serv6274/public_html/docs
Modified Files:
changes.html history install.html
Log Message:
Updated documentation
Index: install.html
===================================================================
RCS file: /var/cvs/geeklog-1.3/public_html/docs/install.html,v
retrieving revision 1.36
retrieving revision 1.37
diff -C2 -d -r1.36 -r1.37
*** install.html 19 Dec 2004 14:19:31 -0000 1.36
--- install.html 31 Dec 2004 16:14:44 -0000 1.37
***************
*** 140,144 ****
<li>Unpack the tarball *within* your web tree by running the following in your shell (this assumes you have ssh access and that you are working with the tarball <i>on the designated server </i>- this can be locally or hosted elsewhere):<br>
<br>
! <code>tar -zxvf geeklog-1.3.11rc1.tar.gz</code><br>
<br>
<b>FTP, Windows Users:</b> unpack the tarball on your <i>local computer</i> and upload the result to your designated server. Everything uploads as ASCII except the images.<br>
--- 140,144 ----
<li>Unpack the tarball *within* your web tree by running the following in your shell (this assumes you have ssh access and that you are working with the tarball <i>on the designated server </i>- this can be locally or hosted elsewhere):<br>
<br>
! <code>tar -zxvf geeklog-1.3.11.tar.gz</code><br>
<br>
<b>FTP, Windows Users:</b> unpack the tarball on your <i>local computer</i> and upload the result to your designated server. Everything uploads as ASCII except the images.<br>
Index: changes.html
===================================================================
RCS file: /var/cvs/geeklog-1.3/public_html/docs/changes.html,v
retrieving revision 1.42
retrieving revision 1.43
diff -C2 -d -r1.42 -r1.43
*** changes.html 22 Dec 2004 17:26:00 -0000 1.42
--- changes.html 31 Dec 2004 16:14:44 -0000 1.43
***************
*** 25,30 ****
<h2><a name="changes1311">Geeklog 1.3.11</a></h2>
! <p>Geeklog 1.3.11 is a bugfix release over Geeklog 1.3.10 and is meant to replace 1.3.10. The change in the version number was necessary since one of the bugfixes involves a change in the database.</p>
<ul>
<li>Fixes the length of the 'sid' field in the gl_comments table. Using story IDs longer than 20 characters prevented comment posts from being associated with the story.</li>
--- 25,44 ----
<h2><a name="changes1311">Geeklog 1.3.11</a></h2>
! <p>Geeklog 1.3.11 is a <strong>bugfix and security release</strong> over Geeklog 1.3.10 and is meant to replace 1.3.10. The change in the version number was necessary since one of the bugfixes involves a change in the database.</p>
!
! <h3>Security issues</h3>
! <ol>
! <li>It was possible to submit stories anonymously even if anonymous submissions
! were turned off in <tt>config.php</tt> (reported by Barry Wong).<br>
! These stories still ended up in the submission queue, though, unless you
! disabled it in <tt>config.php</tt>.</li>
! <li>Some of the parameters in link and event submissions weren't filtered,
! leaving them open to potential SQL injections.</li>
! <li>The links for the What's Related block were created from the unfiltered
! story text, opening the possibility of XSS attacks (reported by Vincent
! Furia).</li>
! </ol>
+ <h3>Bugfixes</h3>
<ul>
<li>Fixes the length of the 'sid' field in the gl_comments table. Using story IDs longer than 20 characters prevented comment posts from being associated with the story.</li>
***************
*** 38,42 ****
</ul>
! <p>Upgrading from Geeklog 1.3.10 should be relatively painless, as there weren't any changes in the themes, language files, or config.php over 1.3.10.</p>
--- 52,56 ----
</ul>
! <p>We strongly advise users of Geeklog 1.3.10 to upgrade to 1.3.11 ASAP. Upgrading should be relatively painless, as there weren't any changes in the themes, language files, or config.php over 1.3.10.</p>
***************
*** 185,188 ****
--- 199,214 ----
(see the <tt>docs/history</tt> file for proper credits). Thank you!</p>
+ <h2><a name="changes139sr3">Geeklog 1.3.9sr3</a></h2>
+ <p>This release addresses the following security issues:</p>
+
+ <ol>
+ <li>It was possible to submit stories anonymously even if anonymous submissions
+ were turned off in <tt>config.php</tt> (reported by Barry Wong).<br>
+ These stories still ended up in the submission queue, though, unless you
+ disabled it in <tt>config.php</tt>.</li>
+ <li>Some of the parameters in link and event submissions weren't filtered,
+ leaving them open to potential SQL injections.</li>
+ </ol>
+
<h2><a name="changes139sr2">Geeklog 1.3.9sr2</a></h2>
Index: history
===================================================================
RCS file: /var/cvs/geeklog-1.3/public_html/docs/history,v
retrieving revision 1.263
retrieving revision 1.264
diff -C2 -d -r1.263 -r1.264
*** history 22 Dec 2004 17:26:00 -0000 1.263
--- history 31 Dec 2004 16:14:44 -0000 1.264
***************
*** 1,4 ****
--- 1,42 ----
GeekLog History/Changes:
+ Dec 31, 2004 (1.3.11)
+ ------------
+
+ Geeklog 1.3.11 addresses the following security issues:
+
+ 1. It was possible to submit stories anonymously even if anonymous submissions
+ were turned off in config.php (reported by Barry Wong).
+ These stories still ended up in the submission queue, though, unless you
+ disabled it in config.php.
+ 2. Some of the parameters in link and event submissions weren't filtered,
+ leaving them open to potential SQL injections.
+ 3. The links for the What's Related block were created from the unfiltered story
+ text, opening the possibility of XSS attacks (reported by Vincent Furia).
+
+ Bugfixes:
+
+ - Added a missing stripslashes() call for the topic name in the What's Related
+ block (bug #351) [Dirk]
+ (affected file: system/lib-story.php)
+ - Fixed problems in the story editor when editing plain-text posts with
+ uploaded images (bug #356) [Dirk]
+ (affected file: public_html/admin/story.php)
+ - When changing a story ID, update the story ID in any comments to that story,
+ too (bug #357) [Dirk]
+ (affected file: public_html/admin/story.php)
+ - Fixed handling of autotags that started with the same substring, e.g. for
+ 2 tags 'mytag' and 'mytagtwo', the second tag would not be recognized
+ (reported by Dr. Shakagee) [Dirk]
+ (affected file: system/lib-plugins.php)
+ - Fixed caching of $_GROUPS [Dirk]
+ (affected files: system/lib-security.php, public_html/lib-common.php)
+ - Made a minor optimization to save one SQL request when displaying the comment
+ bar for anonymous users [Dirk]
+ (affected file: public_html/lib-common.php)
+ - Updated Slovenian language file, provided by gape.
+ (affected file: language/slovenian.php)
+
+
Dec 22, 2004 (1.3.11rc1)
------------
***************
*** 525,528 ****
--- 563,579 ----
+ Dec 31, 2004 (1.3.9sr3)
+ ------------
+
+ This release addresses 2 security issues:
+
+ 1. It was possible to submit stories anonymously even if anonymous submissions
+ were turned off in config.php (reported by Barry Wong).
+ These stories still ended up in the submission queue, though, unless you
+ disabled it in config.php.
+ 2. Some of the parameters in link and event submissions weren't filtered,
+ leaving them open to potential SQL injections.
+
+
Oct 8, 2004 (1.3.9sr2)
-----------
More information about the geeklog-cvs
mailing list