Welcome to Geeklog Monday, November 20 2017 @ 04:05 pm EST

Geeklog 1.3.8-1sr2

  • Contributed by:
  • Views: 10,608
Security

Following on the heels of 1.3.8-1sr1 is 1.3.8-1sr2, available as a (tiny) upgrade archive as well as a complete tarball.

Jouko Pynnonen found a way to trick the new "forgot password" feature, that was only introduced in 1.3.8, into letting an attacker change the password for any account. This release addresses this issue - there were no other changes.

Users of 1.3.7sr3 are not affected (as the feature simply didn't exist there).

bye, Dirk