Unfortunately, yet another Geeklog security issue has surfaced: Konstantin Dyakoff found an old bug in the session handling that would allow anyone to log in as any user. This bug exists in all Geeklog versions released since 2002.
To address this serious issue, we are releasing the following security updates and strongly suggest that you upgrade your site as soon as possible.
- Geeklog 1.4.0sr2 (complete tarball and upgrade archive)
- Geeklog 1.3.11sr5 (upgrade from 1.3.11sr4 and a combo update that includes all previous updates)
- Geeklog 1.3.9sr5 (upgrade from 1.3.9sr4)
The 1.4.0sr2 update also strips HTML tags from the location entry in a user's profile (a problem that only existed in 1.4.0). The 1.3.9sr5 update also includes the fixes for the earlier security issues. While Geeklog 1.3.9 isn't officially supported any more, we're making an exception here because of the severity of the issues and since many people still seem to be using that version. Nevertheless, we'd suggest that you upgrade to 1.4.0 at your earliest convenience.
Well, I guess there goes our reputation of being one of the more secure web applications. After two severe issues in two weeks it's hard to hold up that claim much longer. Apologies on behalf of the Geeklog Team for any inconveniences we may have caused you.
As a consequence, we will be concentrating on doing code reviews and fixing bugs (security-related and otherwise) for Geeklog 1.4.1 and will put implementing new features on the back burner. We've obviously got some homework to do in order to earn back your trust.
Please feel free to use the comments or the Feedback forum to tell us what you think about all this.