[geeklog-cvs] geeklog: Ported 1.5.2sr2 changes over from the branch
geeklog-cvs at lists.geeklog.net
geeklog-cvs at lists.geeklog.net
Sat Apr 4 15:49:26 EDT 2009
details: http://project.geeklog.net/cgi-bin/hgweb.cgi/rev/f588d8d5c7c0
changeset: 6890:f588d8d5c7c0
user: Dirk Haun <dirk at haun-online.de>
date: Sat Apr 04 20:22:02 2009 +0200
description:
Ported 1.5.2sr2 changes over from the branch
diffstat:
3 files changed, 19 insertions(+), 6 deletions(-)
public_html/docs/changes.html | 5 +++++
public_html/docs/history | 12 +++++++++++-
system/lib-sessions.php | 8 +++-----
diffs (80 lines):
diff -r 81f6adbf7687 -r f588d8d5c7c0 public_html/docs/changes.html
--- a/public_html/docs/changes.html Wed Apr 01 15:21:52 2009 -0500
+++ b/public_html/docs/changes.html Sat Apr 04 20:22:02 2009 +0200
@@ -35,6 +35,11 @@
<li>The minimum PHP version required by Geeklog is now <strong>PHP 4.3.0</strong>. Given that the PHP team ended support for PHP 4 in August 2008, you should be
looking into upgrading to PHP 5 anyway.</li>
</ul>
+
+
+<h2><a name="changes152sr2">Geeklog 1.5.2sr2</a></h2>
+
+<p>Bookoo of the Nine Situations Group posted an SQL injection exploit for glFusion that also works with Geeklog. This issue allowed an attacker to extract the password hash for any account and is fixed with this release.</p>
<h2><a name="changes152sr1">Geeklog 1.5.2sr1</a></h2>
diff -r 81f6adbf7687 -r f588d8d5c7c0 public_html/docs/history
--- a/public_html/docs/history Wed Apr 01 15:21:52 2009 -0500
+++ b/public_html/docs/history Sat Apr 04 20:22:02 2009 +0200
@@ -1,6 +1,6 @@
Geeklog History/Changes:
-Mar ??, 2009 (1.6.0)
+Apr ??, 2009 (1.6.0)
------------
Geeklog 1.6.0 incorporates the following projects implemented during
@@ -130,6 +130,16 @@
every other plugin and built-in function does (bug #0000644) [Dirk]
+Apr 4, 2009 (1.5.2sr2)
+-----------
+
+This release addresses the following security issue:
+
+Bookoo of the Nine Situations Group posted an SQL injection exploit for glFusion
+that also works with Geeklog. This issue allowed an attacker to extract the
+password hash for any account and is fixed with this release.
+
+
Mar 30, 2009 (1.5.2sr1)
------------
diff -r 81f6adbf7687 -r f588d8d5c7c0 system/lib-sessions.php
--- a/system/lib-sessions.php Wed Apr 01 15:21:52 2009 -0500
+++ b/system/lib-sessions.php Sat Apr 04 20:22:02 2009 +0200
@@ -2,13 +2,13 @@
/* Reminder: always indent with 4 spaces (no tabs). */
// +---------------------------------------------------------------------------+
-// | Geeklog 1.5 |
+// | Geeklog 1.6 |
// +---------------------------------------------------------------------------+
// | lib-sessions.php |
// | |
// | Geeklog session library. |
// +---------------------------------------------------------------------------+
-// | Copyright (C) 2000-2008 by the following authors: |
+// | Copyright (C) 2000-2009 by the following authors: |
// | |
// | Authors: Tony Bibbs - tony AT tonybibbs DOT com |
// | Mark Limburg - mlimburg AT users DOT sourceforge DOT net |
@@ -29,8 +29,6 @@
// | Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. |
// | |
// +---------------------------------------------------------------------------+
-//
-// $Id: lib-sessions.php,v 1.47 2008/09/21 08:37:12 dhaun Exp $
/**
* This is the session management library for Geeklog. Some of this code was
@@ -397,7 +395,7 @@
if ($md5_based == 1) {
$sql = "UPDATE {$_TABLES['sessions']} SET start_time=$newtime WHERE (md5_sess_id = '$sessid')";
} else {
- $sql = "UPDATE {$_TABLES['sessions']} SET start_time=$newtime WHERE (sess_id = $sessid)";
+ $sql = "UPDATE {$_TABLES['sessions']} SET start_time=$newtime WHERE (sess_id = '$sessid')";
}
$result = DB_query($sql);
More information about the geeklog-cvs
mailing list