newsSavane - News: Release 1.0.2: bugfixes, cosmetics improvements and security fixes

Show feedback again
Latest News
Security fix: scp restricted shell bypass posted by beuc, Thu Feb 2 22:02:09 2017 - 0 replies
New Savane release fixes symlink attack and privilege escalation posted by beuc, Wed Dec 2 22:24:18 2009 - 0 replies
Release 3.0: markup language and anti-spam tools posted by yeupou, Mon Dec 4 09:38:30 2006 - 2 replies
Release 2.0: interface heavy improvements, bugfixes and cosmetics posted by yeupou, Tue Oct 3 08:06:29 2006 - 2 replies
We need packagers! posted by yeupou, Tue Sep 19 18:09:45 2006 - 2 replies
[Submit News]
[23 news in archive]

Release 1.0.2: bugfixes, cosmetics improvements and security fixes

Item posted by Mathieu Roy <yeupou> on Mon Mar 29 13:19:23 2004.


Savane 1.0.2 is released today. Some bugfixes/tasks were planned for
this release, but are postponed, since this release cover one
significant security fix, that could lead to remote code execution by
the webserver user, using the file frontend/php/include/vars.php.

You are advised to update your copy ASAP. In itself, it cannot be a significant problem, but with other security holes on a webserver, it could lead to the worse.
This bug does not explain Savannah's november compromise, as this code was not in the running Savane version during the compromise, and we are not aware of any exploit made with that bug.

-- The release tracking has been made with the item task #247 at Gna! <>

-- Tarball gpg-signed by myself is available at <>

-- This announce gpg-signed is available at <>

-- Changes from 1.0.1 to 1.0.2:

* Cosmetics improvements (closes: bugs #303, bugs #290).
* Fix spelling issues (closes: bugs #307)
* Code cleanups (closes: task #257).
* Fix side effect at the end of user/project list (closes: bugs #296).
* Fix PHP Warnings when commenting a support request (closes: bugs #280).
* Update i18n.
* Remove the X-Copy to header from the mail sents but send mails
with one call to mail(), in order to send one mail, with one
* Dependencies list mention if an item is closed (closes: task #263).
* Fix Disabling CVS under Active Features method so it prevents
CVS links from main page (closes: bugs #299).
* Allow dashes by default for group names (closes: bugs #292).
* Fix history info for global notification (closes: bugs
* Fix global notification settings cancelling notification,
thanks to Sylvain Beucler (closes: bugs #314).
* No longer automatically [ and ] to items pointers, as
altering content proves to be more frequently annoying than
* Follows RFC822 and quote real names in From: and To: mail
headers whenever appropriate (closes: bugs #313).
* Show with icons whether dependant items are closed (closes:
task #264).
* Fix a bug that caused bookmarks to no longer being named
properly (closes: bugs #285).
* $feedback is now converted to html entities (closes: bugs #320).
* Security fix to avoid remote code execution by the webserver.

I'd like to thanks Sylvain Beucler for the frequent reports he made, helping us to improve the software for this 1.0.2 release, and Lorenzo Hernandez Garcia-Hierro for the security checks, that found out the
vars.php bug.


Tarball updated to 1.0.2-2 (posted by Mathieu Roy, Tue Mar 30 07:27:41 2004)

The tarball has been updated to 1.0.2-2 (minor bugfix not completely applied), under the same package name, re-gpg-signed.

[ Reply ]



Start a New Thread:

You could post if you were logged in
Show feedback again

Back to the top

Powered by Savane 3.1-cleanup