Topics

User Functions

Events

There are no upcoming events

What's New

Stories last 2 weeks

No new stories

Comments last 2 weeks

Trackbacks last 2 weeks

No new trackback comments

Links last 2 weeks

No recent new links

NEW FILES last 14 days

No new files

Welcome to Geeklog Monday, May 25 2015 @ 07:25 PM EDT

Geeklog 1.8.2sr1 and 2.0.0rc2

Security
  • Wednesday, February 20 2013 @ 05:40 AM EST
  • Contributed by:
  • Views:
    4,042

We have received two reports about security issues that affect Geeklog in both current versions, i.e. 1.8.2 and 2.0.0 (which is not officially out yet, but in release candidate state):

  • High-Tech Bridge Security Research Lab reported an XSS in the calendar_type parameter in the Calendar plugin.
  • Trustwave Spiderlabs reported XSS in the install script, the Configuration, as well as in the Admin interfaces for the Polls plugin and the Topic editor.

To address these issues, we are releasing Geeklog 1.8.2sr1 (complete archive; also available as an update from 1.8.2) and Geeklog 2.0.0rc2.

In addition to the security fixes, Geeklog 1.8.2sr1 also fixes a problem with the Twitter OAuth login. Geeklog 2.0.0rc2 includes further (non-security) bugfixes for this major update.

While the reported security issues are not easy to exploit (due to other security measures in Geeklog), we strongly suggest that you install these updates as soon as possible. Also, be careful when clicking on external links while being logged in as an Admin user - especially when you are unexpectedly prompted for your password.

Trackback

Trackback URL for this entry:
https://www.geeklog.net/trackback.php/geeklog-1.8.2sr1

The following comments are owned by whomever posted them. This site is not responsible for what they say.

  • Geeklog 1.8.2sr1 and 2.0.0rc2
  • Authored by:LWC on Wednesday, February 20 2013 @ 12:55 PM EST
Can you post a Geeklog 1.8.1 to 1.8.2sr1 Upgrade file?
  • Geeklog 1.8.2sr1 and 2.0.0rc2
  • Authored by:Laugh on Wednesday, February 20 2013 @ 01:16 PM EST
If Dirk doesn't I will on the weekend.

Tom
  • Geeklog 1.8.2sr1 and 2.0.0rc2
  • Authored by:Laugh on Friday, February 22 2013 @ 10:13 AM EST
It looks like Dirk got to it first. Use this first:

Geeklog 1.8.1 to 1.8.2 Upgrade

and then:

Security Update for Geeklog 1.8.2
  • Geeklog 1.8.2sr1 and 2.0.0rc2
  • Authored by:LWC on Saturday, February 23 2013 @ 05:05 AM EST
My request was for you to combine it into Geeklog 1.8.1 to 1.8.2sr1 Upgrade.
  • Geeklog 1.8.2sr1 and 2.0.0rc2
  • Authored by:LWC on Saturday, February 23 2013 @ 05:07 AM EST
I definitely posted this comment in the right place. Looks like it's a bug that was posted as a brand new comment.
  • Geeklog 1.8.2sr1 and 2.0.0rc2
  • Authored by:Dirk on Saturday, February 23 2013 @ 06:00 AM EST

Why? We have never provided such upgrades in the past. In fact, the 1.8.2 upgrade package that Tom provided was already an exception - we only provide such "diff" upgrades for security issues. Is it really that much work for you to download and install two such files?

I'm all for making updates as easy as possible, but please consider that it's a lot of work for us to provide all these extra archives. And where will it stop? Someone is surely going to ask for a "diff" archive from 1.8.0 next ...

  • Geeklog 1.8.2sr1 and 2.0.0rc2
  • Authored by:LWC on Sunday, February 24 2013 @ 12:47 PM EST
I'd say it should stop one version before the latest. No more, no less.

It's needed because some of us use custom files. This requires re-customization every time a new version comes out. In this case it means double re-customization.
  • Geeklog 2.0.0rc2 Bug Fix
  • Authored by:Laugh on Friday, February 22 2013 @ 10:08 AM EST
There is a small bug in Geeklog 2.0.0rc2 that creates double lines in articles that use plain text mode. To fix please replace the COM_nl2br funtion in lib-common.php with:

function COM_nl2br($string)
{
if (! defined('XHTML')) {
define('XHTML', '');
}

$replace = '<br' . XHTML . '>';
$find = array("\r\n", "\n\r", "\r", "\n");
return str_replace($find, $replace, $string);
}