pkgsrc change:
* Prefix PKGNAME with ${PHP_PKG_PREFIX}.
* Now depends on php-mysqli instead of php-mysql.
* Now allow all pkgsrc's PHP versions.
December 9, 2015 (2.1.1)
------------
- [Security] Log parameters for 404 errors & make filtering in 404.log work like in error.log [Dirk]
- [Security] Removed the code used for File Manager demos and tests shipped with WideImage to prevent an XSS [Mystralkk]
- [Security] Updated File Manager to version 2.2.0 (fixed security issue with file upload check) [Mystralkk]
- [Security] Configuration string input sanitizing overhaul. Now can be config option specific by
adding sanitize rule in config validation file. Default is now all strings are stripped of tags [Tom]
- [Update] CKEditor to version 4.5.4 [Dengen]
- [Update] jQuery to version 1.11.3 and jQuery UI to version 1.11.4. jQuery Timepicker Addon updated [Tom] [Dengen]
- [Update] OAuth class to version 1.141 [Tom]
- [Feature] Integrated the UIkit framework version 2.24.0 into Geeklog [Dengen]
- [Feature] Denim theme now uses UIkit [Dengen]
- [Feature] Added first part of developer mode which adds extra error logging for any template errors
- [Feature] Plugins can now include default templates and css files along with ones for different themes
Plugins template and css files can be included with themes. Plugins template files can now have
a function.php file to control what javascript is loaded [Tom]
- [Feature] Schema.org article, author, and Breadcrumb markup added to Denim and Modern Curve themes [Tom]
- [Feature] Poll plugin bar graphs now based on percentage and supports responsive themes [Tom]
- [Feature] Useful feature template class [Tom]
- [Feature] Allow xmlSiteMap Plugin to Ping Search Engines when new content is Added [Mystralkk]
- [Feature] XMLSitemap Plugin - Add dedicated API [Mystralkk]
- [Feature] Change default admin page to index.php from moderation.php [Dengen]
- [Feature] Search form part of the theme is not accessible. [Dengen]
- [Feature] Localization of message "Unfortunately, an error has occurred rendering this page." [Mystralkk]
- [Feature] Add Pagination with rel=next and rel=prev [Tom]
- [Bug] Added email check to Com_mail to prevent plugins from sending email to users who don't have an address (Oauth users) [Tom]
- [Bug] Cached Articles Sometimes do not Display on website [Tom]
- [Bug] Current LDAP module doesn't work properly - new Simple_LDAP Authentication provided [Mystralkk]
- [Bug] Duplicate Blocks [Mystralkk]
- [Bug] Remove hardcoded checks for TLD in domain names [Mystralkk]
- [Bug] Geeklog Does Not Accept .website TLD [Mystralkk]
- [Bug] Install script Migrate option needs to handle cookiesecure config value [Dirk]
- [Bug] Hidden config option 'search_use_fulltext' can be found using search in Configuration [Dengen]
- [Bug] Errors while editing blocks reset all options [Dengen]
- [Bug] The administrator is forced to be an input of the user password in the Edit User screen [Dengen]
- [Bug] Wrong permissions with articles submitted by guest users [Dengen]
- [Bug] Declaration of dc: namespace missing from RSS and RDF feeds [Mystralkk]
- [Bug] Missing blank in feed headers [Dirk]
- Integrated Caching Template Library original developed by Joe Mucchiello [Tom]
- Support for themes to specify a default theme. Default themes template and css
files will be used unless they are included in the new theme directory [Tom]
- Added configruable caching support for blocks (regular and gldefault),
staticpages and articles [Tom]
- Speed increases by caching topic tree structure [Tom]
- What's Related article block now includes all Topics. Can set length of titles
[Tom]
- Articles now list what Topics they are filed under. [Tom]
- New related_topics autotag. It displays all topics an item belongs too. [Tom]
- New related_items autotag. It displays all other related items based on what
topics the defined item belongs too [Tom]
- Updated Command & Control layout. Plugins can now organized into groups. [Tom]
- New OAuth login methods supported (Google, Microsoft, Yahoo). OAuth supported
now includes 1.0, 1.0a, and 2.0 (depends on what the provider supports) [Tom]
- Javascript and css can now be loaded in a specified order. [Tom]
- Numerous fixes for multi-language support [Tom]
- Added CKEditor 4.3.2 as the default advanced editor for Geeklog [Dengen]
- New article render which fixes entities etc... from showing up where they
shouldn't [Dengen]
- New Advanced Editor System that allows developers to easily to add new
javascript editors [Dengen]
- Article, Staticpages Poll and Topic IDs can now be 128 characters long [Tom]
- User Login page now can be accessed directly without first displaying a login
error message [Tom]
- Fixed deadlock issues with the session table [Tom]
- Updated Hebrew language files, provided by LWC
- jQuery can now be included in the header [Tom]
- Updated to jQuery 1.10.2 and jQuery UI to 1.10.3 [Tom]
- Added a Filemanager [Kenji ITO]
- Added timepicker jQuery control [Dengen]
Here is summary from release announce. Full changes are available in
docs/history file. (XSS problem was already fixed by geeklog-1.8.2sr1.)
* Improved strength of password hashing
* Allow Topics to have child Topics
* Allow Articles, Blocks and other Plugin objects to be associated with more
than one Topic
* Topic Breadcrumb support
* Emergency Rescue Tool is included with the Geeklog Install
* Added support for MySQLi
* Add Stop Forum Spam and Spam Number of Links Modules to Spam-X
* A new theme called Denim which is based on Responsive Web Design
* A new theme called Modern Curve
* Comments Form on same page as Articles and plugin other Plugin objects
* Comments RSS Feed Plugin now integrated into Geeklog
* Includes updated versions of jQuery to 1.9.1 and jQuery UI to 1.10.1
* Updated FCKeditor version to 2.6.9
* XSS fixes for the Install, Configuration, Topic Editor, Polls Plugin and
Calendar Plugin
* Twitter OAuth API updated
* HTML 5 DOCTYPE
Geeklog History/Changes:
Feb 19, 2013 (1.8.2sr1)
------------
This release addresses the following security issues:
- High-Tech Bridge Security Research Lab reported an XSS in the calendar_type
parameter in the Calendar plugin (HTB23143).
- Trustwave Spiderlabs reported XSS in the install script, the Configuration,
as well as in the Admin interfaces for the Polls plugin and the Topic editor
(TWSL2013-001).
Not security-related:
- Fixed Twitter OAuth login by switching to version 1.1 of the Twitter API
(feature request #0001506).
Geeklog History/Changes:
Dec 30, 2012 (1.8.2)
------------
- A remote service user now bypasses current password check when account is
deleted (bug #0001417) [Tom]
- Fixed Twitter OAuth login error after Twitter deactived some old URLs (bug
#0001497) [Tom]
- $dbconfig_path was not escaped in the install script (bug #0001457, patch
provided by mystral-kk)
- COM_stripslashes will now handle arrays; this was a problem during
re-authentication after a security token expired (bug #0001413) [suprsidr]
- The comment count for a story could be wrong if there was a different object
with the same id and a comment (bug #0001414) [Tom]
- Feeds with the full story text still had a '...' at the end (bug #0001431)
[Jeff Rivett, Tom]
- Allow MIME type application/x-gzip-compressed when uploading a plugin for
installation (bug #0001405) [Dirk]
- Fixed compatibility with MySQL 5.5 (bugs #0001410, #0001456). This also
raises the minimum supported MySQL version to 4.1.2 [Dirk, Tom]
Oct 9, 2011 (1.8.1)
-----------
- Fixed exact match censoring option (bug #0001392) [Tom]
- Fixed adding elements to empty Configuration arrays (bug #0001396) [Tom]
- Blank out OAuth consumer key and secret in rootdebug dumps [Dirk]
- Fixed deleting elements from Configuration arrays (bug #0001394, patch
provided by dengen)
- Avoid censoring in What's Related block (bug #0001393) [Tom, Dirk]
- Fixed error message display in admin's user editor when renaming the
userphoto failed [Dirk]
- Don't display details of a failed MS SQL query by default [Dirk]
- Updated Japanese language file, provided by the Geeklog.jp group
Quote from release announce:
With Geeklog 1.8.0 we have raised the minimum system requirement for PHP.
PHP version 5.2.0 or greater is now required.
There are a number of new features with this version of Geeklog. These
include:
- Improved Configuration, which was the Google Summer of Code project of
Akeda Bagus from 2010. Improvements include the ability to search for
configuration attributes, tabs, input validation as well as an updated
look.
- OAuth Support, allowing users to log into a Geeklog site with their
Facebook, Twitter, or LinkedIn account, developed by Hiroshi Sakuramoto of
Geeklog Japan.
- Includes jQuery 1.5.2 and jQuery UI 1.8.11
- Updated Professional theme with new icons and tooltips.
- Reworked Plugin Admin interface that now checks for dependencies when a
plugin is installed.
Feb 20, 2011 (1.7.2)
------------
Note: This will be the last Geeklog version to work on PHP 4. We will provide
security fixes for this version until 2012. Future versions of Geeklog will
require PHP 5.2.0 or later. For details, please see
http://www.geeklog.net/article.php/end-of-php4-support
- PostgreSQL fixes:
* It wasn't possible for several Geeklog instances to share a Postgres
database (bug #0001251) [Rouslan]
* Fixed dbSave [Dirk]
* Fixed error reporting [Dirk]
* Fixed compatibility with PHP 4 [Dirk]
- Fixed replacing the [imageX] tags when changing a story's id (bug #0001256)
[Dirk]
- Fixed Static Pages plugin to work with PHP 4 (bug #0001239) [Tom]
Jan 2, 2011 (1.7.1sr1)
------------
This release addresses the following security issue:
Aung Khant of the YGN Ethical Hacker Group reported an XSS in the admin's
configuration panel.
Geeklog History/Changes:
Oct 31, 2010 (1.7.1)
------------
- Fixed description of $index parameter for STORY_renderArticle (bug #0001203)
[Dirk]
- The number of successfully imported users was always reported as 0 for the
"Batch Add" option in the User Manager (bug #0001211) [Ivy, Dirk]
- Fixed a bug in the MS SQL changeDESCRIBE method to properly prefix the proper
sql query string [Randy]
- Updated Hebrew language files, provided by LWC
- New Italian language files for the Links plugin, provided by Rouslan Placella
- Updated Italian language files for the Static Pages plugin, provided by
Rouslan Placella
Calendar Plugin
---------------
- Fixed an SQL error when returning search results for the Personal Calendar
(bug #0001195) [Dirk]
Oct 10, 2010 (1.7.1rc1)
------------
- If content from an Autotag produces another Autotag it will be executed (to a
maximum of 5 times) [Tom]
- Themes can now have their own display functions for the start and end of
Blocks. (Feature #0001188) [Tom]
- Reverted a change in 1.7.0 that would send a Content-Type header when calling
COM_refresh since this conflicts with some plugins (e.g. the Forum) [Dirk]
- Fixed wrong view after posting a comment on a poll (bug #0001080, patch
provided by Wojtek Szkutnik)
- Fixed language in the dropdown for the permanent cookie in the Configuration
(bug #0001117, patch provided by Eric Brisco)
- Added cancel and delete buttons to comment edit and submission forms when
needed. (Feature #0000981) [Tom]
- Reverted parts of the changes for bug #0001057: Do _not_ escape curly braces
when displaying a block's content (bug #0001156). If you run into the problem
that words in curly braces inside blocks are interpreted as template
variables, simply add a space after the opening and/or the closing brace
[Dirk]
- Autotags can now be inserted directly into template files.
(Feature #0001181) [Tom]
- Plugins are able to control moderation and return a string to be displayed.
(Feature #0000619 patch provided by jmucchiello)
- Admin lists can now display a 0 in a column instead of being blank
(bug #0001060 patch provided by jmucchiello)
- Fixed "Show & Hide Boxes" option in My Account (reported by Pushkar) [Dirk]
- Display the topic name (instead of the topic id) in the list of draft stories
(bug #0001171) [Dirk]
- Fixed COM_formatTimeString to correctly handle intervals bigger than 4 weeks
(bug #0001158) [Dirk]
- Call PLG_templateSetVars for the Advanced Search form [Dirk]
- Make sure we keep the current status of the user's Advanced Editor option
even when Advanced Editor is disabled for the site (Thanks, Markus) [Dirk]
- Comment submissions for plugins were missing the type [Dirk]
- In the Group Editor, hide the 'Apply "Default Group" change' option until the
state of the "Default Group" checkbox changes (feature request #0001116,
patch provided by Dushyant Tiwari)
- Fixed handling of $LANG_DIRECTION in the install script (cf. bug #0000871)
- Fixed query highlighting in articles - didn't work for queries that contained
characters filtered by COM_applyFilter [Dirk]
- Updated Japanese language file, provided by the Geeklog.jp group
- New and updated French (France) language files, provided by Ben
- Updated Hebrew language file for the Links plugin, provided by LWC
Static Pages Plugin
-------------------
- Call up the Advanced Editor when enabled (bug #0001147, patch provided by
Samuel Leathers)
- A Static Page can now be marked as a template and used by other Static Pages.
(Feature #0001085) [Tom]
Quote from release announce:
This release adds support for PostgreSQL (in addition to MySQL and MS
SQL), developed by Stan Palatnik during the Google Summer of Code
2009. It also adds a re-authentication option in case the CSRF token
expires, thus preventing loss of data. For other improvements, please
see the list of changes. Of course, it also addresses the latest
security issue.
We would also like to thank all those students again who applied for
the Google Summer of Code 2010 and submitted patches for Geeklog. Some
of them already made it into 1.7.0, the rest is scheduled for
inclusion into Geeklog 1.7.1. We will also be looking into adding more
of our successful GSoC projects from 2009 into that release.
May 9, 2010 (1.6.1sr1)
------------
This release addresses the following security issue:
The autologin (using the long-term session cookie) is vulnerable to dictionary
attacks. This issue was originally reported by Bookoo of the Nine Situations
Group in one of his reports in April 2009 but apparently overlooked by the
Geeklog Team. Thanks to geeklog.net user Jack for pointing this out.
Geeklog 1.6.1
New Features and Improvements
* Geeklog now lets you enter meta descriptions and meta keywords for the main
page, for stories, topics, static pages, and polls. Please note that these
meta tags may not be used by some search engines.
* You can now have one featured story per topic (for stories set to "Show
only in Topic").
* New autotags now allow you to embed polls in stories and everywhere else
where autotags are allowed.
* The Migrate option in the install script can now also be applied to an
existing database (i.e. you don't need to import a database dump to update
your URLs and paths).
* The Database Backup admin panel now includes options to optimize the
database and convert tables to InnoDB (MySQL only).
* Improved timezone support and let users actually set their own timezone.
* Minor security enhancements:
+ "Important" cookies (like the session cookies) are now created with the
HttpOnly flag set. This will help avoid some XSS attacks, provided your
browser supports this flag.
+ Template errors will now trigger the standard error handler instead of
exposing the template path.
+ Fixed inclusion protection for some of the Spam-X class files.
Please also see the list of theme changes.
Bugfixes
* Fixed automatic closing of stories for comments after a certain amount of
days. If you need to re-open comments on stories that were closed due to
this bug, you can use this SQL request:
UPDATE gl_stories SET commentcode = 0, comment_expire = 0 WHERE commentcode
= 1;
* The comment speed limit was being ignored.
* Fixed a bug in the Group Editor that didn't let you add groups to other
groups (this problem was only introduced in Geeklog 1.6.0).
* The admin group for the Static Pages plugin was created with a wrong name
in Geeklog 1.6.0 (fresh installs only).
* Several tweaks and minor fixes (e.g. compatibility with PHP 4) in the
search.
o Add some pkgsrc patches to improve Content-Type header output.
Geeklog 1.6.0sr2
This release addresses the following security issue:
* Unauthorized file uploads were possible through FCKeditor.
Uploaded files still had to go through FCKeditor's filter, so it was not
possible to upload scripts (and the integrity of the Geeklog site as such
was not in danger). There were, however, reports that this was used to host
malware.
This update prevents use of the upload feature when FCKeditor is disabled
and disables it for anonymous users. It also doesn't allow uploading of
archive files any more. Furthermore, you need some sort of "edit"
permission now to be able to upload files through FCKeditor (this is meant
as an interim measure - we will probably introduce a separate "upload"
permission in future Geeklog versions).
Other fixes:
* Fixed installation using InnoDB tables.
* Fixed a (non-exploitable) SQL error when auto-updating a story's
commentcode field.
* Fixed a wrong function name in the Links plugin.
Geeklog 1.6.0sr1
This release addresses the following security issues:
1. Gerendi Sandor Attila reported an XSS in the forms to email a user and to
email a story to a friend.
2. The "Mail Story to a Friend" function didn't check story permissions, so
that it was possible to email a story even if you didn't have the
permissions to view it on the site.
Other fixes:
* Fixed an SQL error when submitting a story and the story submission queue
was off.
* Fixed calls to a nonexistent function COM_outputMessageAndAbort.
Geeklog 1.6.0
Results from the Summer of Code
This release incorporates the following projects implemented during the the
2008 Google Summer of Code:
* Site migration support and easier plugin installation, by Matt West
* Improved search, by Sami Barakat
* Comment moderation and editable comments, by Jared Wenerd
Other changes
* The minimum PHP version required by Geeklog is now PHP 4.3.0. Given that
the PHP team ended support for PHP 4 in August 2008, you should be looking
into upgrading to PHP 5 anyway.
* Includes FCKeditor 2.6.4.1
* Includes a new plugin, XMLSitemap, that automatically generates a XML
sitemap file, as supported by all major search engines. Plugin written and
provided by mystral-kk.
* Several new plugin API functions have been added and existing functions
have been extended.
* The included documentation has been moved to docs/english to allow for
translations. Links to the documentation from within Geeklog will link to
existing translations for the current language automatically (or fall back
to the English documentation if no suitable translation can be found).
* There were a variety of theme changes to support new functionality and fix
inconsistencies in the layout.
This release also includes a number of patches and improvements made by
students applying for participation in the Google Summer of Code 2009. Thank
you!
as full release.
And add updated fckeditor for Geeklog.
These updates should fix known security problems, Secunia SA36372.
Jul 30, 2009 (1.5.2sr5)
------------
This release addresses the following security issues:
- Gerendi Sandor Attila reported an XSS in the forms to email a user and to
email a story to a friend.
- The "Mail Story to a Friend" function didn't check story permissions, so that
it was possible to email a story even if you didn't have the permissions to
view it on the site.
pkgsrc changes: overhaul this package.
* Add LICENSE.
* Clean up bmake's macros, such as addition of PRINT_PLIST_AWK.
Geeklog changes: too many chagnes to write here.
* New user-friendly installation.
* New Configuration GUI.
* New Webservice GUI.
* And more.
Please refer http://www.geeklog.net/docs/english/changes.html
for more information.
Fixed some security problems about SQL injection vulnerability.
the owner of all installed files is a non-root user. This change
affects most packages that require special users or groups by making
them use the specified unprivileged user and group instead.
(1) Add two new variables PKG_GROUPS_VARS and PKG_USERS_VARS to
unprivileged.mk. These two variables are lists of other bmake
variables that define package-specific users and groups. Packages
that have user-settable variables for users and groups, e.g. apache
and APACHE_{USER,GROUP}, courier-mta and COURIER_{USER,GROUP},
etc., should list these variables in PKG_USERS_VARS and PKG_GROUPS_VARS
so that unprivileged.mk can know to set them to ${UNPRIVILEGED_USER}
and ${UNPRIVILEGED_GROUP}.
(2) Modify packages to use PKG_GROUPS_VARS and PKG_USERS_VARS.
pkgsrc's change: improving our README file.
Geeklog 1.4.1
New Features
* Support for Microsoft SQL Server. Starting with this release, Geeklog can
now also be installed on Microsoft SQL Server, so it's no longer restricted
to just MySQL. The MS SQL support was developed by Randy Kolenko. Thanks,
Randy!
Please note that any third-party plugins will have to offer support for MS
SQL before they can be installed on Microsoft SQL Server. The bundled
plugins (Calendar, Links, Polls, Spam-X, Static Pages) have already been
updated accordingly.
* Calendar plugin. The formerly built-in calendar and events have now been
moved into a separate plugin. This complements the move of the polls and
links sections into plugins in Geeklog 1.4.0 and makes Geeklog more modular
as you can now easily disable or replace functionality that you don't need
for your site.
* Multi-language support. It is now possible to build truly multi-linugal
sites with Geeklog where not only the navigation but also the content of
the site changes with the language.
* Ships with FCKeditor 2.3.1, which once again includes a file manager for
uploading images.
* A function for mass-deletion of old or inactive users. The list
automatically searches for users that have never logged in, only used the
site for a very short time or have not been online since a very long time.
The time span can be varied, and found users can be selectively deleted.
Security
In the light of the security issues discovered in Geeklog 1.4.0 and earlier
versions, the Geeklog source code has undergone a code review. We have
identified and addressed several minor issues and introduced new measures to
enhance security in this release. As a welcome side effect, the code reviews
have also uncovered a few bugs and inconsistencies that we also fixed in this
release.
Spam Protection
With this release we are finally removing support for the discontinued
MT-Blacklist. In its place, we are now using a system called Spam Link
Verification (SLV) run by Russ Jones at www.linksleeve.org. SLV could be
described as a community-driven, automatically updated blacklist. See the
documentation of the Spam-X plugin for details.
pkgsrc release engineering team.
- Keep current directory with DEINSTALL and INSTALL script.
- remove extra processing with POST-DEINSTALL action from DEINSTALL script.
- Suggest use of additional graphic package.
- Add APACHE_GROUP to BUILD_DEFS.
- install ${GEEKLOG_EXAMPLESDIR}/createdb.php with INSTALL_SCRIPT.
Bump PKGREVISION.
It fixes cross-site-scripting security problem.
Geeklog 1.4.0sr5
JPCERT/CC informed us about a possible XSS in the comment handling that we're
fixing with this release.
----------------------------------------------------------------------------
Two exploits have been released by "rgod" for insecure Geeklog installations
and for a bug in the "mcpuk" file manager that we've been shipping as part of
FCKeditor in all previous 1.4.0 releases.
o Some of the files outside of the public_html directory were not protected
against direct execution. If Geeklog was installed such that those files
were accessible from a URL (which has always been strongly discouraged in
the installation instructions) then those files could be used to load and
execute malicious code from a remote server.
More information: So-called Geeklog "exploit" posted
In this release, we've added the missing execution prevention for all files
outside of public_html. We would still, however, suggest that you fix your
Geeklog install if the files outside of public_html are accessible from a
URL (see our FAQ for details).
o The "mcpuk" file manager that we've integrated into FCKeditor allowed the
upload of arbitrary PHP code (even if FCKeditor was disabled in Geeklog's
config.php). Depending on your webserver's configuration, it was then
possible to execute that uploaded code.
More information: Exploit for FCKeditor's mcpuk file manager
The file manager has been removed from this release. You will therefore no
longer be able to upload files, e.g. images, through FCKeditor. Future
versions of Geeklog will ship with an updated version of FCKeditor and its
included file manager.
Note: This release also includes the updated lib-trackback.php for better
protection against Trackback spam.
----------------------------------------------------------------------------
First problem dosen't related to pkgsrc.