"Late last week we released Movable Type 3.35 and Movable Type Enterprise 1.53. The impetus for this release was a XSS vulnerability that was found in our comment preview code. The vulnerability affects only a small number of people, but we felt it important to address the issue as soon as we could. And since we were turning on the release machines we went ahead and tackled a couple of other bug fixes and introduced a new feature as well."

Complete Story

"A new version of the forums module, 03.20.09, has just been released to address some critical security issues. The vulnerabilites that have been fixed were all cross-site scripting issues (XSS), where malicious users could potentially inject dangerous html and javascript into forum content."

Complete Story

As I mentioned on my forum, a patch for the forum web application, SMF, has been released. Earlier this month, we talked about SMF 1.1 Final being out and how easy it is to upgrade SMF. Installing the patch was even easier with not only SMF's ability to install the package easily but can also the ability to self-download the patches as well through the browser. No FTP or Linux shell required! Something I would like to see in all my favorite content management systems.

The SMF 1.1.1 patch is mostly a bug fixer, but there is a security improvement for a cross-scripting vulnerability found for Internet Explorer users. The changes from SMF 1.1 to 1.1.1 include:

• Fixed potential XSS vulnerability for users of Internet Explorer.
• Changed the way SMF logs IP addresses to make it harder for someone to bypass banning.
• Fixed bug in BBC parsing that could cause an error for people with special characters in their username on certain versions of PHP.
• Fixed apostrophes in smiley location path causing a database error.
• Fixed usage of an array before it was declared causing issues for bridges.
• Fixed Personal Message labels not being properly restricted to the current member.
• Fixed search sometimes returning no results when it should have done.
• The sticky checkbox in prune boards would alternate when it shouldn't have done.
• Send announcements out in slightly smaller chunks.

The complete announcement for the for SMF patch can be found at the Simple Machines forum. The announcement also contains a tarred and gzipped patch for those that need or prefer to upgrade the "old fashion" way.

The folks at Serendipity have released version 1.0.2 to address cross-site scripting (XSS) vulnerabilities "on the admin backend which could happen if registered authors can be tricked into following a specially crafted URL." The 1.1 Beta 5 also contains this fix along with the following new changes since Beta 1:

1. Themes can now support custom amounts and positions of any number of sidebars (top, bottom, left, right etc.) (more)
2. Usergroups can now configure which plugins/events a group is allowed to execute (more)
3. Added the options to use HTTP-Authentication for your login, which enables you to use secured RSS-Feeds with login credentials
4. Some permalinks oddities when using % in URLs and some other minor fixes.

You can read more details about this release at Serendipity.