Contributed by: Dirk on Tuesday, October 14 2003 @ 04:30 pm EDT
Last modified on
Following on the heels of 1.3.8-1sr1[*1] is 1.3.8-1sr2, available as a (tiny) upgrade archive[*2] as well as a complete tarball[*3] .
Jouko Pynnonen found a way to trick the new "forgot password" feature, that was only introduced in 1.3.8, into letting an attacker change the password for any account. This release addresses this issue - there were no other changes.
Users of 1.3.7sr3 are not affected (as the feature simply didn't exist there).
bye, Dirk