[geeklog-cvs] geeklog: Sync list of changes with 1.5.2sr5 and 1.6.0sr1
geeklog-cvs at lists.geeklog.net
geeklog-cvs at lists.geeklog.net
Thu Jul 30 15:00:45 EDT 2009
details: http://project.geeklog.net/cgi-bin/hgweb.cgi/rev/45b48a8521db
changeset: 7210:45b48a8521db
user: Dirk Haun <dirk at haun-online.de>
date: Thu Jul 30 21:00:35 2009 +0200
description:
Sync list of changes with 1.5.2sr5 and 1.6.0sr1
diffstat:
public_html/docs/english/changes.html | 31 +++++++++++++++++++++++++++++++
public_html/docs/history | 28 ++++++++++++++++++++++++++++
2 files changed, 59 insertions(+), 0 deletions(-)
diffs (93 lines):
diff -r c9f2a827ba80 -r 45b48a8521db public_html/docs/english/changes.html
--- a/public_html/docs/english/changes.html Wed Jul 29 13:30:25 2009 +0200
+++ b/public_html/docs/english/changes.html Thu Jul 30 21:00:35 2009 +0200
@@ -16,6 +16,25 @@
<a href="../history">ChangeLog</a>. The file <tt>docs/changed-files</tt> has a
list of files that have been changed since the last release.</p>
+<h2><a name="changes160sr1">Geeklog 1.6.0sr1</a></h2>
+
+<p>This release addresses the following security issues:</p>
+<ol>
+<li>Gerendi Sandor Attila reported an XSS in the forms to email a user and to
+ email a story to a friend.</li>
+<li>The "Mail Story to a Friend" function didn't check story permissions, so
+ that it was possible to email a story even if you didn't have the
+ permissions to view it on the site.</li>
+</ol>
+
+<p>Other fixes:</p>
+<ul>
+<li>Fixed an SQL error when submitting a story and the story submission queue
+ was off.</li>
+<li>Fixed calls to a nonexistent function <code>COM_outputMessageAndAbort</code>.</li>
+</ul>
+
+
<h2><a name="changes160">Geeklog 1.6.0</a></h2>
<h3>Results from the Summer of Code</h3>
@@ -53,6 +72,18 @@
you!</p>
+<h2><a name="changes152sr5">Geeklog 1.5.2sr5</a></h2>
+
+<p>This release addresses the following security issues:</p>
+<ol>
+<li>Gerendi Sandor Attila reported an XSS in the forms to email a user and to
+ email a story to a friend.</li>
+<li>The "Mail Story to a Friend" function didn't check story permissions, so
+ that it was possible to email a story even if you didn't have the
+ permissions to view it on the site.</li>
+</ol>
+
+
<h2><a name="changes152sr4">Geeklog 1.5.2sr4</a></h2>
<p>Bookoo of the Nine Situations Group posted another SQL injection exploit, targetting an old bug in usersettings.php. As with the previous issues, this allowed an attacker to extract the password hash for any account and is fixed with this release.</p>
diff -r c9f2a827ba80 -r 45b48a8521db public_html/docs/history
--- a/public_html/docs/history Wed Jul 29 13:30:25 2009 +0200
+++ b/public_html/docs/history Thu Jul 30 21:00:35 2009 +0200
@@ -14,6 +14,23 @@
- For Remote Users, display their service name in the User Editor [Dirk]
+Jul 30, 2009 (1.6.0sr1)
+------------
+
+This release addresses the following security issues:
+- Gerendi Sandor Attila reported an XSS in the forms to email a user and to
+ email a story to a friend.
+- The "Mail Story to a Friend" function didn't check story permissions, so that
+ it was possible to email a story even if you didn't have the permissions to
+ view it on the site.
+
+Not security-related:
+- Fixed an SQL error (due to a non-initialized variable; not exploitable) when
+ the story submission queue was off (reported by Dieter Thomas) [Dirk]
+- Fixed calls to a nonexistent function COM_outputMessageAndAbort (should have
+ been COM_displayMessageAndAbort) [Dirk]
+
+
Jul 19, 2009 (1.6.0)
------------
@@ -349,6 +366,17 @@
every other plugin and built-in function does (bug #0000644) [Dirk]
+Jul 30, 2009 (1.5.2sr5)
+------------
+
+This release addresses the following security issues:
+- Gerendi Sandor Attila reported an XSS in the forms to email a user and to
+ email a story to a friend.
+- The "Mail Story to a Friend" function didn't check story permissions, so that
+ it was possible to email a story even if you didn't have the permissions to
+ view it on the site.
+
+
Apr 18, 2009 (1.5.2sr4)
------------
More information about the geeklog-cvs
mailing list