|
Geeklog 1.3.8-1sr1
This version is a security update release over 1.3.8-1. This is being released in response to the recent reports about (confirmed and unconfirmed) security issues in Geeklog.
From the history file inside the .tar.gz file:
"GeekLog History/Changes:
October 12, 2003 (1.3.8-1sr1)
----------------
This release is intended to address some of the security issues reported in September and early October 2003.
1. Includes Ulf Harnhammar's kses HTML filter to address possible Javascript injections and CSS defacements.
When upgrading from an earlier version, please make sure to copy over the $_CONF['user_html'] and $_CONF['admin_html'] arrays from the included config.php to your own copy of that file.
2. While almost all of the alleged SQL injection issues could not be
reproduced, this release includes an update to the MySQL class to not report SQL errors in the browser any more (but only in Geeklog's error.log). This will avoid disclosing any sensitive information as part of the error message.
Please note that at the moment we do NOT recommend to use Geeklog with MySQL 4.1 (which, at the time of this writing, is in alpha state and should not be used on production sites anyway).
An upcoming release of Geeklog will address the remaining SQL issues, including any problems with MySQL 4.1.
Other fixes (not security-related):
- When trying to guess the value of $_CONF['cookiedomain'], we need to remove the port number from the URL, if there is one (bug #75).
- The full 1.3.8-1sr1 tarball also includes updated French (Canada) and Turkish language files.
|
Linear Mode
