newsSavane - News: Release 1.4: security fix (XSS), bugfixes, cosmetics

 
 
Show feedback again
Latest News
New Savane release fixes symlink attack and privilege escalation posted by beuc, Wed 02 Dec 2009 10:24:18 PM UTC - 0 replies
Release 3.0: markup language and anti-spam tools posted by yeupou, Mon 04 Dec 2006 09:38:30 AM UTC - 2 replies
Release 2.0: interface heavy improvements, bugfixes and cosmetics posted by yeupou, Tue 03 Oct 2006 08:06:29 AM UTC - 2 replies
We need packagers! posted by yeupou, Tue 19 Sep 2006 06:09:45 PM UTC - 2 replies

Release 1.4: security fix (XSS), bugfixes, cosmetics

Item posted by Mathieu Roy <yeupou> on Sat 04 Feb 2006 09:26:26 AM UTC.

Here comes a new Savane release. This release brings no new features but only bugfixes. Most notably, it fixes a cross site scripting bug (XSS -- which means a low security fix) that was introduced in 1.3 release. If you are running Savane 1.3, we urge you to upgrade soon, even if the effects of such flaw are not critical. Previous releases are unaffected.

Thanks a lot to anyone involved in this release, most notably Tobias Toedter for fixing bugs and Karol Nowak for reporting the XSS issue.

The release tracking has been made with the task #2686.

If you are still running a Savane version older than 1.3, note that we moved to SVN. See https://gna.org/forum/forum.php?forum_id=982 for more details.

Obtaining it:
-------------
- The GPG-signed tarball is available at <http://download.gna.org/savane/>
- You can use apt-get with Debian, adding "deb http://dl.gna.org/savane/debian/ stable/" (without quotes) in your /etc/apt/sources.list

Upgrading a running installation:
------------------------------------------
There a no upgrade scripts needed if you are upgrading from 1.3.

If you are running an older version than 1.3, you should run the scripts in savane/update for each release you missed, as described in savane/update/README (or shipped with the debian package savane-update).

Installing it from scratch:
---------------------------------
Just follow INSTALL.verbose. You will probably want to take a look at more completes guides available at <http://download.gna.org/savane-doc/>

If you encounter undocumented troubles, please fill a support request at <https://gna.org/support/?group=savane>

Release ChangeLog:
---------------------------

[SITE SPECIFIC CONTENT]

  • Added new status 'Orphaned/Unmaintained' in hashes.txt

(bug #4811).

[FRONTEND]

is now case-insensitive to avoid infinite redirection loops
(bug #4947).

  • Fixed a security issue with cross site scripting (XSS) during

the submission of a new tracker item (bug #5011)

  • Fixed a bug causing attached files to be ignored during item

reassignation (bug #4844).

  • Fixed a bug causing wrong email addresses to be used when

notifying admins after request for membership (bug without effect
if /etc/aliases was updated by sv_aliases, bug #4744).

  • Fixed notification to submitter if assignee changed and

submitter is neither new nor old assignee.

  • License Other filled during submission is now printed as License

if "License" is equal to "Other".

[BACKEND]

  • The was a typo in the name of the default theme "emeraud" in

sv_update_conf (bug #4975).

[INTERNAL]

  • The PHP frontend can now use unit testing. A few tests

are already included. This will be improved with more
tests as development goes on.

--------------------------

That's all, folks!

Comments:

No messages in Release 1.4: security fix (XSS), bugfixes, cosmetics

 

Start a New Thread:

You could post if you were logged in
Show feedback again

Back to the top


Powered by Savane 3.1-cleanup