Contributed by: Dirk Monday, April 13 2009 @ 11:55 am EDT
Geeklog 1.5.2sr3 addresses the recently published exploit[*1] for an SQL injection in the webservices. It is available for download
After installing this update, you can enable the webservices again if you need them (or leave them disabled if you don't - they are not an essential feature, unless you happen to be using an AtomPub client to post articles).
After the recent series of security issues, we will of course now take a closer look at Geeklog's source code again and re-evaluate our security measures. What's interesting about the last two exploits, for example, is that they simply were not possible a few years ago, as they rely on new features in MySQL 5. So there's obviously room for improvement here.
A quick overview of our plans for the near future: We're currently wrapping up the selection process for the student applications[*5] for this year's Summer of Code (results to be announced on April 20). We will also be publishing a beta version of Geeklog 1.6.0 at around the same time. Any results of a code review will then be available with the final 1.6.0 release (no due date, but tentatively before or around May 23, again in sync with the timeline for the Summer of Code.
Sorry for the recent hassle and we hope you stick with us.