[geeklog-cvs] geeklog-1.3/docs changes.html,1.18,188.8.131.52 history,1.120,184.108.40.206
dhaun at geeklog.net
dhaun at geeklog.net
Sun Oct 12 08:33:33 EDT 2003
Update of /usr/cvs/geeklog/geeklog-1.3/docs
In directory geeklog_prod:/tmp/cvs-serv24040
RCS file: /usr/cvs/geeklog/geeklog-1.3/docs/changes.html,v
retrieving revision 1.18
retrieving revision 220.127.116.11
diff -C2 -d -r1.18 -r18.104.22.168
*** changes.html 9 Aug 2003 11:47:41 -0000 1.18
--- changes.html 12 Oct 2003 12:33:31 -0000 22.214.171.124
*** 23,26 ****
--- 23,45 ----
of files that have been changed since the last release.</p>
+ <h2><a name="changes138-1sr1">Geeklog 1.3.8-1sr1</a></h2>
+ <p>The purpose of this release is to address some of the security issues reported in September and early October 2003. We strongly recommend upgrading to this version.</p>
+ <h3>Security issues</h3>
+ <li>Details of SQL errors will not be reported in the browser any more (but only in Geeklog's error.log file). This will avoid disclosing any sensitive information as part of the error message (which is so far the only problem we have found with the alleged SQL injection issues that have been reported).
+ <p>Please note that at the moment we do <strong>not</strong> recommend to use Geeklog with MySQL 4.1 (which, at the time of this writing, is in alpha state and should not be used on production sites anyway). An upcoming release of Geeklog will include more thorough filtering of SQL injections attempts, thus also fixing the problems with MySQL 4.1.</p>
+ <h3>Other fixes</h3>
+ <li>Fixed the auto-detection of the value for the <code>$_CONF['cookiedomain']</code> variable if the URL included a port number (such as <tt>example.com:8080</tt>). This will fix the login problems some users were reporting.</li>
+ <li>The full 1.3.8-1sr1 tarball also includes updated French (Canada) and Turkish language files.</li>
<h2><a name="changes138-1">Geeklog 1.3.8-1</a></h2>
RCS file: /usr/cvs/geeklog/geeklog-1.3/docs/history,v
retrieving revision 1.120
retrieving revision 126.96.36.199
diff -C2 -d -r1.120 -r188.8.131.52
*** history 9 Aug 2003 11:47:41 -0000 1.120
--- history 12 Oct 2003 12:33:31 -0000 184.108.40.206
*** 1,4 ****
--- 1,37 ----
+ October 12, 2003 (1.3.8-1sr1)
+ This release is intended to address some of the security issues reported in
+ September and early October 2003.
+ injections and CSS defacements.
+ When upgrading from an earlier version, please make sure to copy over the
+ $_CONF['user_html'] and $_CONF['admin_html'] arrays from the included
+ config.php to your own copy of that file.
+ 2. While almost all of the alleged SQL injection issues could not be
+ reproduced, this release includes an update to the MySQL class to not
+ report SQL errors in the browser any more (but only in Geeklog's error.log).
+ This will avoid disclosing any sensitive information as part of the error
+ Please note that at the moment we do NOT recommend to use Geeklog with
+ MySQL 4.1 (which, at the time of this writing, is in alpha state and should
+ not be used on production sites anyway).
+ An upcoming release of Geeklog will address the remaining SQL issues,
+ including any problems with MySQL 4.1.
+ Other fixes (not security-related):
+ - When trying to guess the value of $_CONF['cookiedomain'], we need to remove
+ the port number from the URL, if there is one (bug #75).
+ - The full 1.3.8-1sr1 tarball also includes updated French (Canada) and
+ Turkish language files.
August 9, 2003 (1.3.8-1)
More information about the geeklog-cvs