Contributed by: Dirk Monday, June 10 2002 @ 02:45 am EDT
In order to secure your installations, we have released Geeklog 1.3.5sr1[*1] which addresses these issues. You are strongly encouraged to upgrade to this version as soon as possible.
If your site is running Geeklog 1.3.5, you could also download this file[*2] which contains just the affected files. After uploading them, your installation will be secure. Please note that this may overwrite customisations you may have made to the affected files.
With CVS not in a releasable state and Tony being out of town, this issue caught us at some unfortunate time in the development process. So what you have here is a joint effort of the rest of the team to fix theses issues and secure your data again.
Since Geeklog 1.3.6 is not ready for prime time yet, it was decided to base this release on Geeklog 1.3.5. Besides the security issues, it also includes some minor fixes, e.g. the missing field 'emailfromadmin' and a fix for the batch user import. Details are available from the docs/history file that comes with this release.
We would like to thank the people at olympos.org who found the security issues and gave us the necessary time to fix them.