pkgsrc release engineering team.
- Keep current directory with DEINSTALL and INSTALL script.
- remove extra processing with POST-DEINSTALL action from DEINSTALL script.
- Suggest use of additional graphic package.
- Add APACHE_GROUP to BUILD_DEFS.
- install ${GEEKLOG_EXAMPLESDIR}/createdb.php with INSTALL_SCRIPT.
Bump PKGREVISION.
It fixes cross-site-scripting security problem.
Geeklog 1.4.0sr5
JPCERT/CC informed us about a possible XSS in the comment handling that we're
fixing with this release.
----------------------------------------------------------------------------
Two exploits have been released by "rgod" for insecure Geeklog installations
and for a bug in the "mcpuk" file manager that we've been shipping as part of
FCKeditor in all previous 1.4.0 releases.
o Some of the files outside of the public_html directory were not protected
against direct execution. If Geeklog was installed such that those files
were accessible from a URL (which has always been strongly discouraged in
the installation instructions) then those files could be used to load and
execute malicious code from a remote server.
More information: So-called Geeklog "exploit" posted
In this release, we've added the missing execution prevention for all files
outside of public_html. We would still, however, suggest that you fix your
Geeklog install if the files outside of public_html are accessible from a
URL (see our FAQ for details).
o The "mcpuk" file manager that we've integrated into FCKeditor allowed the
upload of arbitrary PHP code (even if FCKeditor was disabled in Geeklog's
config.php). Depending on your webserver's configuration, it was then
possible to execute that uploaded code.
More information: Exploit for FCKeditor's mcpuk file manager
The file manager has been removed from this release. You will therefore no
longer be able to upload files, e.g. images, through FCKeditor. Future
versions of Geeklog will ship with an updated version of FCKeditor and its
included file manager.
Note: This release also includes the updated lib-trackback.php for better
protection against Trackback spam.
----------------------------------------------------------------------------
First problem dosen't related to pkgsrc.
Geeklog is a PHP/MySQL based application for managing dynamic web content.
"Out of the box", it is a blog engine, or a CMS with support for comments,
trackbacks, multiple syndication formats, spam protection, and all the
other vital features of such a system.
