Geeklog 1.4.0sr5-1 and 1.3.11sr7-1 bugfix releases

Bryan's picture
Submitted by Bryan on
"Last week's security release introduced display problems in the comment preview that we're fixing with the following versions:

Please note that when using the 1.4.0 "combo" update, you will also have to remove some files to fix the security issue with FCKeditor's file manager, as explained in the included README file."

[Geeklog]

Geeklog: Fresh Geeklog Release

Bryan's picture
Submitted by Bryan on

"To address the recently posted exploits for insecure installations and for the mcpuk file manager, we are releasing Geeklog 1.4.0sr4.

In this release, we've removed the file manager altogether, so you will no longer be able to upload images through FCKeditor (this will be enabled again when we release Geeklog 1.4.1 with FCKeditor 2.3). We've also added additional protection against code execution in case of insecure installations but suggest that you really protect your Geeklog install properly as explained in the installation instructions and in the FAQ."

More...

CMSReport.com now running Drupal 4.7.2

Bryan's picture
Submitted by Bryan on

Just after upgrading CMS Report from Drupal 4.7.0 to 4.7.1 a couple days ago, Drupal has released 4.7.2. In my mind, the update can be best described as a better fix to the fix. Why did Drupal need to release another security update? The below excerpt from a Drupal Security Advisory gives the reasons why:

Recently, the Drupal security team was informed of a potential exploit that would allow untrusted code to be executed upon a successful request by a malicious user. If a dynamic script with multiple extensions such as file.php.pps or file.sh.txt is uploaded and then accessed from a web browser under certain common Apache configurations, it will cause the script inside to be executed. We deemed this exploit critical and released Drupal 4.6.7 and 4.7.1 six hours after the report was filed. The fix was to create a .htaccess file to remove /all/ dynamic script handlers, such as PHP, from the "files" directory.

After continuous review, however, we've found that the fix will not work in certain Apache configurations, for example those for whom .htaccess FileInfo overrides are disabled. We are thus releasing 4.6.8 and 4.7.2 with a more robust .htaccess fix, as well as a Drupal core solution to the issue which will work under all configurations.

The latest versions of Drupal can be downloaded at Drupal.org.

Security Bulletin: Don't Snooze, Update your Drupal

Bryan's picture
Submitted by Bryan on

Drupal users who may have taken an extended vacation during the extended US Memorial Day weekend will want to note that that Drupal 4.6.7 and Drupal 4.7.1 have been released. This latest update to Drupal was issued mainly to address a couple security issues.

Drupal 4.6.7 and Drupal 4.7.1 are available for download. These are maintenance releases that fix problems reported using the bug tracking system, as well as two security vulnerabilities.

Upgrading your existing Drupal sites is strongly recommended.

There are no new features in these installments. For more information about the Drupal 4.6.x release series, please consult the Drupal 4.6.0 release announcement. For more information about the Drupal 4.7.x release series, consult the Drupal 4.7.0 release announcement.

As should be expected, CMS Report is currently running the very latest stable version of Drupal, 4.7.1.

XOOPS 2006/05/23 security patch released

Bryan's picture
Submitted by Bryan on

"The 2006/05/23 security patch has been released to fix the security issue disclosed as Secunia Advisory 20176. Please note that this issue only concerns servers configured with register_globals set to on, which is a disrecommended setup. Hovever we recommend every XOOPS 2.X user to apply it, specially those who are forced to use a 2.0.x version to anterior to 2.0.13.2, as the additional protection it contains may protect you from other issues known to these old versions."

[XOOPS.org]