[geeklog-cvs] geeklog-1.3/docs changes.html,1.10.2.1.2.1,1.10.2.1.2.2 history,1.63.2.1.2.1,1.63.2.1.2.2 install.html,1.11,1.11.4.1

dhaun at geeklog.net dhaun at geeklog.net
Mon Jan 19 15:12:50 EST 2004 

Update of /usr/cvs/geeklog/geeklog-1.3/docs
In directory geeklog_prod:/tmp/cvs-serv8503

Modified Files:
      Tag: geeklog_1_3_7sr2_1
	changes.html history install.html 
Log Message:
Updated documentation


Index: changes.html
===================================================================
RCS file: /usr/cvs/geeklog/geeklog-1.3/docs/changes.html,v
retrieving revision 1.10.2.1.2.1
retrieving revision 1.10.2.1.2.2
diff -C2 -d -r1.10.2.1.2.1 -r1.10.2.1.2.2
*** changes.html	12 Oct 2003 12:31:33 -0000	1.10.2.1.2.1
--- changes.html	19 Jan 2004 20:12:48 -0000	1.10.2.1.2.2
***************
*** 23,26 ****
--- 23,59 ----
  of files that have been changed since the last release.</p>
  
+ <h2><a name="changes137sr5">Geeklog 1.3.7sr5</a></h2>
+ <p>This release addresses the following security issues:</p>
+ 
+ <ol>
+ <li>It was possible for users in the Group Admin and User Admin groups to
+     become a member of the Root group (reported by Samuel M. Stone,
+     bug #135).</li>
+ <li>Being admin for a certain area (e.g. Story Admin for stories) made it
+     possible to delete all objects in that area (e.g. stories) even if the user
+     was not supposed to have access to them, provided the id of the object was
+     known.</li>
+ <li>It was possible to delete other people's personal events if you knew the
+     event ID.</li>
+ <li>It was possible to browse through the comments of a story even if the user
+     did not have access to the actual story (reported by Peter Roozemaal).</li>
+ </ol>
+ 
+ 
+ <h2><a name="changes137sr4">Geeklog 1.3.7sr4</a></h2>
+ <p>This release addresses the following security-related issues:</p>
+ 
+ <ol>
+ <li>As "dr.wh0" pointed out, the category field for link submissions was not
+     filtered at all. Although you probably can't cause too much harm with
+     those 32 characters, this has now been fixed.</li>
+ <li>Vincent Furia found that the restrictions for the form to email users
+     could be circumvented and could even be used to spam users.</li>
+ <li>There was a way to post comments anonymously even when posting for
+     anonymous users had been disabled.</li>
+ <li>It was possible to post comments under someone else's username.</li>
+ </ol>
+ 
+ 
  <h2><a name="changes137sr3">Geeklog 1.3.7sr3</a></h2>
  

Index: history
===================================================================
RCS file: /usr/cvs/geeklog/geeklog-1.3/docs/history,v
retrieving revision 1.63.2.1.2.1
retrieving revision 1.63.2.1.2.2
diff -C2 -d -r1.63.2.1.2.1 -r1.63.2.1.2.2
*** history	12 Oct 2003 12:31:33 -0000	1.63.2.1.2.1
--- history	19 Jan 2004 20:12:48 -0000	1.63.2.1.2.2
***************
*** 1,4 ****
--- 1,36 ----
  GeekLog History/Changes:
  
+ January 21, 2004 (1.3.7sr5)
+ ----------------
+ 
+ This release addresses the following security issues:
+ 
+ 1. It was possible for users in the Group Admin and User Admin groups to
+    become a member of the Root group (reported by Samuel M. Stone, bug #135).
+ 2. Being admin for a certain area (e.g. Story Admin for stories) made it
+    possible to delete all objects in that area (e.g. stories) even if the
+    user was not supposed to have access to them, provided the id of the object
+    was known.
+ 3. It was possible to delete other people's personal events if you knew the
+    event ID.
+ 4. It was possible to browse through the comments of a story even if the user
+    did not have access to the actual story (reported by Peter Roozemaal).
+ 
+ 
+ December 5, 2003 (1.3.7sr4)
+ ----------------
+ 
+ This release addresses the following security-related issues:
+ 
+ 1. As "dr.wh0" pointed out, the category field for link submissions was not
+    filtered at all. Although you probably can't cause too much harm with
+    those 32 characters, this has now been fixed. 
+ 2. Vincent Furia found that the restrictions for the form to email users
+    could be circumvented and could even be used to spam users.
+ 3. There was a way to post comments anonymously even when posting for
+    anonymous users had been disabled.
+ 4. It was possible to post comments under someone else's username.
+ 
+ 
  October 12, 2003 (1.3.7sr3)
  ----------------

Index: install.html
===================================================================
RCS file: /usr/cvs/geeklog/geeklog-1.3/docs/install.html,v
retrieving revision 1.11
retrieving revision 1.11.4.1
diff -C2 -d -r1.11 -r1.11.4.1
*** install.html	13 Jan 2003 13:22:37 -0000	1.11
--- install.html	19 Jan 2004 20:12:48 -0000	1.11.4.1
***************
*** 139,143 ****
  			<li>Unpack the tarball *within* your web tree by running the following in your shell (this assumes you have ssh access and that you are working with the tarball <i>on the designated server </i>- this can be locally or hosted elsewhere):<br>
  				<br>
! 				<code>tar -zxvf geeklog-1.3.7sr1.tar.gz</code><br>
  				<br>
  				<b>FTP, Windows Users:</b> unpack the tarball on your <i>local computer</i> and upload the result to your designated server. Everything uploads as ASCII except the images.<br>
--- 139,143 ----
  			<li>Unpack the tarball *within* your web tree by running the following in your shell (this assumes you have ssh access and that you are working with the tarball <i>on the designated server </i>- this can be locally or hosted elsewhere):<br>
  				<br>
! 				<code>tar -zxvf geeklog-1.3.7sr5.tar.gz</code><br>
  				<br>
  				<b>FTP, Windows Users:</b> unpack the tarball on your <i>local computer</i> and upload the result to your designated server. Everything uploads as ASCII except the images.<br>

More information about the geeklog-cvs mailing list