[geeklog-cvs] geeklog-1.3/public_html/docs changes.html,1.33,1.34 history,1.247,1.248
dhaun at iowaoutdoors.org
dhaun at iowaoutdoors.org
Mon Oct 11 14:21:05 EDT 2004
Update of /var/cvs/geeklog-1.3/public_html/docs
In directory www:/tmp/cvs-serv24899
Modified Files:
changes.html history
Log Message:
Updated documentation and synced with the 1.3.9sr2 / 1.3.8-1sr6 releases.
Index: changes.html
===================================================================
RCS file: /var/cvs/geeklog-1.3/public_html/docs/changes.html,v
retrieving revision 1.33
retrieving revision 1.34
diff -C2 -d -r1.33 -r1.34
*** changes.html 5 Oct 2004 20:02:20 -0000 1.33
--- changes.html 11 Oct 2004 18:21:03 -0000 1.34
***************
*** 143,146 ****
--- 143,164 ----
+ <h2><a name="changes139sr2">Geeklog 1.3.9sr2</a></h2>
+ <p>This release addresses the following security issues:</p>
+
+ <ol>
+ <li>Fixed a cross site scripting vulnerability caused by using the variable
+ <code>$topic</code> in the language files (bug #293).</li>
+ <li>Prevent comment posts on stories or polls were comment posting has been
+ disabled.</li>
+ </ol>
+
+ <h3>Other fixes</h3>
+ <ul>
+ <li>Fixed <tt>lib-plugins.php</tt> to work properly with PHP 5.</li>
+ <li>The complete tarball also includes updated PEAR packaged that fix
+ some of the reported email problems.</li>
+ </ul>
+
+
<h2><a name="changes139sr1">Geeklog 1.3.9sr1</a></h2>
<p>This release addresses the following security issues:</p>
***************
*** 243,246 ****
--- 261,286 ----
+ <h2><a name="changes138-1sr6">Geeklog 1.3.8-1sr6</a></h2>
+ <p>This release addresses the following security issues:</p>
+
+ <ol>
+ <li>Fixed a cross site scripting vulnerability caused by using the variable
+ <code>$topic</code> in the language files (bug #293).</li>
+ <li>Prevent comment posts on stories or polls were comment posting has been
+ disabled.</li>
+ </ol>
+
+
+ <h2><a name="changes138-1sr5">Geeklog 1.3.8-1sr5</a></h2>
+ <p>This release addresses the following security issue:</p>
+
+ <ol>
+ <li>It was possible to post anonymous comments, even when anonymous comment
+ posting had been switched off in config.php.<br>
+ This bug was apparently exploited by spammers to send hundreds of spam
+ posts to certain Geeklog sites.</li>
+ </ol>
+
+
<h2><a name="changes138-1sr4">Geeklog 1.3.8-1sr4</a></h2>
<p>This release addresses the following security issues:</p>
Index: history
===================================================================
RCS file: /var/cvs/geeklog-1.3/public_html/docs/history,v
retrieving revision 1.247
retrieving revision 1.248
diff -C2 -d -r1.247 -r1.248
*** history 7 Oct 2004 21:10:23 -0000 1.247
--- history 11 Oct 2004 18:21:03 -0000 1.248
***************
*** 4,7 ****
--- 4,9 ----
------------
+ - Fixed link to the Anonymous user's profile in comment/thread.thtml [Dirk]
+ - Added Location field to the user profile [Blaine]
- In the light of bug #293, removed all variable names from the language files,
leaving only the $_CONF config variables [Dirk]
***************
*** 350,353 ****
--- 352,376 ----
+ Oct 8, 2004 (1.3.9sr2)
+ -----------
+
+ This release addresses 2 security issues:
+
+ - Fixed a cross site scripting vulnerability caused by using the $topic
+ variable in the language files ($LANG05[3]) where it should have been
+ using '%s' instead (bug #293) [Vinny, Dirk]
+ - It was possible to post comments to stories or polls for which comment
+ posting had been switched off [Dirk]
+ This was only a problem if you allowed anonymous posts or when spammers
+ went through the trouble of actually signing up for an account before
+ posting.
+
+ Non-security related fixes:
+
+ - Fixed lib-plugins.php to be compatible with PHP 5 [Dirk]
+ - Includes updated PEAR packages to resolve email problems some users were
+ having (especially with safe_mode being on).
+
+
Jun 1, 2004 (1.3.9sr1)
-----------
***************
*** 685,688 ****
--- 708,728 ----
+ Oct 8, 2004 (1.3.8-1sr6)
+ -----------
+
+ This release addresses 2 security issues:
+
+ - Fixed a cross site scripting vulnerability caused by using the $topic
+ variable in the language files ($LANG05[3]) where it should have been
+ using '%s' instead (bug #293) [Vinny, Dirk]
+ Note: german.php was not affected and is therefore not included.
+
+ - It was possible to post comments to stories or polls for which comment
+ posting had been switched off [Dirk]
+ This was only a problem if you allowed anonymous posts or when spammers
+ went through the trouble of actually signing up for an account before
+ posting.
+
+
Jun 1, 2004 (1.3.8-1sr5)
-----------
More information about the geeklog-cvs
mailing list