[geeklog-cvs] geeklog: Synced list of changes with 1.6.0sr2

geeklog-cvs at lists.geeklog.net geeklog-cvs at lists.geeklog.net
Sun Aug 30 13:46:43 EDT 2009 

details:   http://project.geeklog.net/cgi-bin/hgweb.cgi/rev/805a6d632c3e
changeset: 7274:805a6d632c3e
user:      Dirk Haun <dirk at haun-online.de>
date:      Sun Aug 30 19:46:34 2009 +0200
description:
Synced list of changes with 1.6.0sr2

diffstat:

 public_html/docs/english/changes.html |  18 ++++++++++++++++++
 public_html/docs/history              |  40 ++++++++++++++++++++++++++++++----------
 2 files changed, 48 insertions(+), 10 deletions(-)

diffs (107 lines):

diff -r 640671aac40c -r 805a6d632c3e public_html/docs/english/changes.html
--- a/public_html/docs/english/changes.html	Sun Aug 30 10:15:43 2009 +0200
+++ b/public_html/docs/english/changes.html	Sun Aug 30 19:46:34 2009 +0200
@@ -16,6 +16,24 @@
 <a href="../history">ChangeLog</a>. The file <tt>docs/changed-files</tt> has a
 list of files that have been changed since the last release.</p>
 
+<h2><a name="changes160sr2">Geeklog 1.6.0sr2</a></h2>
+
+<p>This release addresses the following security issue:</p>
+<ul>
+<li>Unauthorized file uploads were possible through FCKeditor.<br>
+Uploaded files still had to go through FCKeditor's filter, so it was not possible to upload scripts (and the integrity of the Geeklog site as such was not in danger). There were, however, reports that this was used to host malware.<br>
+This update prevents use of the upload feature when FCKeditor is disabled and disables it for anonymous users. It also doesn't allow uploading of archive files any more. Furthermore, you need some sort of "edit" permission now to be able to upload files through FCKeditor (this is meant as an interim measure - we will probably introduce a separate "upload" permission in future Geeklog versions).</li>
+</ul>
+
+<p>Other fixes:</p>
+<ul>
+<li>Fixed installation using InnoDB tables.</li>
+<li>Fixed a (non-exploitable) SQL error when auto-updating a story's
+    commentcode field.</li>
+<li>Fixed a wrong function name in the Links plugin.</li>
+</ul>
+
+
 <h2><a name="changes160sr1">Geeklog 1.6.0sr1</a></h2>
 
 <p>This release addresses the following security issues:</p>
diff -r 640671aac40c -r 805a6d632c3e public_html/docs/history
--- a/public_html/docs/history	Sun Aug 30 10:15:43 2009 +0200
+++ b/public_html/docs/history	Sun Aug 30 19:46:34 2009 +0200
@@ -1,9 +1,8 @@
 Geeklog History/Changes:
 
-??? ??, 2009 (1.6.1)
-------------
-
-- Fixed installation using InnoDB tables [Dirk]
+Oct ??, 2009 (1.6.1)
+------------
+
 - Send a notification when a comment goes into the submission queue [Dirk]
 - Added a link back to the story to the "Mail Story to a Friend" form [Dirk]
 - Only list [code], [raw] tags when story.* permissions are required [Dirk]
@@ -14,8 +13,6 @@
 - Use COM_getUserDateTimeFormat, i.e. the user's preferred format, for
   displaying the date and time in search results [Dirk]
 - When disabling a feed, delete the feed file [Dirk]
-- Fixed an SQL error when the commentcode field was auto-updated (reported by
-  Jokke_K) [Dirk]
 - Moved leftover hard-coded text from admin/sectest.php to the language files
   [Dirk]
 - When creating Pingback excerpts, convert the other site's content to our
@@ -28,8 +25,6 @@
 - Use $LANG_ADMIN['na'] instead of hard-coding 'N/A' in several places [Dirk]
 - For Remote Users, display their service name in the User Editor [Dirk]
 
-- Updated Hebrew language file, provided by LWC
-
 Calendar Plugin
 ---------------
 - Reintroduced {event_begin_anchortag} and {event_end_anchortag} variables
@@ -39,10 +34,6 @@
 - Avoid triggering a false spam report when submitting an event with the default
   "http://" entry for the link still in place (bug #0000946) [Dirk]
 
-Links Plugin
-------------
-- Fixed wrong function name in the autoinstall.php file (bug #0000954)
-
 Polls Plugin
 ------------
 - Introduced [poll:], [poll_vote:], and [poll_result:] autotags, allowing to
@@ -54,6 +45,33 @@
 - Added support for meta tags and meta keywords, provided by Tom Homer
 
 
+Aug 30, 2009 (1.6.0sr2)
+------------
+
+This release addresses the following security issue:
+- Unauthorized file uploads were possible through FCKeditor.
+  Uploaded files still had to go through FCKeditor's filter, so it was not
+  possible to upload scripts (and the integrity of the Geeklog site as such was
+  not in danger). There were, however, reports that this was used to host
+  malware.
+  This update prevents use of the upload feature when FCKeditor is disabled and
+  disables it for anonymous users. It also doesn't allow uploading of archive
+  files any more. Furthermore, you need some sort of "edit" permission now to
+  be able to upload files through FCKeditor (this is meant as an interim
+  measure - we will probably introduce a separate "upload" permission in future
+  Geeklog versions).
+
+Not security-related:
+- Fixed installation using InnoDB tables [Dirk]
+- Links plugin: Fixed wrong function name in the autoinstall.php file
+  (bug #0000954)
+- Fixed an SQL error (due to a missing global declaration; not exploitable) when
+  the commentcode field was auto-updated (reported by Jokke_K) [Dirk]
+
+This release also includes updated Hebrew (provided by LWC) and German language
+files.
+
+
 Jul 30, 2009 (1.6.0sr1)
 ------------

More information about the geeklog-cvs mailing list