newsSavane - News: Release 1.4: security fix (XSS), bugfixes, cosmetics

Show feedback again
Latest News
Security fix: scp restricted shell bypass posted by beuc, Thu Feb 2 22:02:09 2017 - 0 replies
New Savane release fixes symlink attack and privilege escalation posted by beuc, Wed Dec 2 22:24:18 2009 - 0 replies
Release 3.0: markup language and anti-spam tools posted by yeupou, Mon Dec 4 09:38:30 2006 - 2 replies
Release 2.0: interface heavy improvements, bugfixes and cosmetics posted by yeupou, Tue Oct 3 08:06:29 2006 - 2 replies
We need packagers! posted by yeupou, Tue Sep 19 18:09:45 2006 - 2 replies
[Submit News]
[23 news in archive]

Release 1.4: security fix (XSS), bugfixes, cosmetics

Item posted by Mathieu Roy <yeupou> on Sat Feb 4 09:26:26 2006.

Here comes a new Savane release. This release brings no new features but only bugfixes. Most notably, it fixes a cross site scripting bug (XSS -- which means a low security fix) that was introduced in 1.3 release. If you are running Savane 1.3, we urge you to upgrade soon, even if the effects of such flaw are not critical. Previous releases are unaffected.

Thanks a lot to anyone involved in this release, most notably Tobias Toedter for fixing bugs and Karol Nowak for reporting the XSS issue.

The release tracking has been made with the task #2686.

If you are still running a Savane version older than 1.3, note that we moved to SVN. See for more details.

Obtaining it:
- The GPG-signed tarball is available at <>
- You can use apt-get with Debian, adding "deb stable/" (without quotes) in your /etc/apt/sources.list

Upgrading a running installation:
There a no upgrade scripts needed if you are upgrading from 1.3.

If you are running an older version than 1.3, you should run the scripts in savane/update for each release you missed, as described in savane/update/README (or shipped with the debian package savane-update).

Installing it from scratch:
Just follow INSTALL.verbose. You will probably want to take a look at more completes guides available at <>

If you encounter undocumented troubles, please fill a support request at <>

Release ChangeLog:


  • Added new status 'Orphaned/Unmaintained' in hashes.txt

(bug #4811).


is now case-insensitive to avoid infinite redirection loops
(bug #4947).

  • Fixed a security issue with cross site scripting (XSS) during

the submission of a new tracker item (bug #5011)

  • Fixed a bug causing attached files to be ignored during item

reassignation (bug #4844).

  • Fixed a bug causing wrong email addresses to be used when

notifying admins after request for membership (bug without effect
if /etc/aliases was updated by sv_aliases, bug #4744).

  • Fixed notification to submitter if assignee changed and

submitter is neither new nor old assignee.

  • License Other filled during submission is now printed as License

if "License" is equal to "Other".


  • The was a typo in the name of the default theme "emeraud" in

sv_update_conf (bug #4975).


  • The PHP frontend can now use unit testing. A few tests

are already included. This will be improved with more
tests as development goes on.


That's all, folks!


No messages in Release 1.4: security fix (XSS), bugfixes, cosmetics


Start a New Thread:

You could post if you were logged in
Show feedback again

Back to the top

Powered by Savane 3.1-cleanup