the owner of all installed files is a non-root user. This change
affects most packages that require special users or groups by making
them use the specified unprivileged user and group instead.
(1) Add two new variables PKG_GROUPS_VARS and PKG_USERS_VARS to
unprivileged.mk. These two variables are lists of other bmake
variables that define package-specific users and groups. Packages
that have user-settable variables for users and groups, e.g. apache
and APACHE_{USER,GROUP}, courier-mta and COURIER_{USER,GROUP},
etc., should list these variables in PKG_USERS_VARS and PKG_GROUPS_VARS
so that unprivileged.mk can know to set them to ${UNPRIVILEGED_USER}
and ${UNPRIVILEGED_GROUP}.
(2) Modify packages to use PKG_GROUPS_VARS and PKG_USERS_VARS.
pkgsrc's change: improving our README file.
Geeklog 1.4.1
New Features
* Support for Microsoft SQL Server. Starting with this release, Geeklog can
now also be installed on Microsoft SQL Server, so it's no longer restricted
to just MySQL. The MS SQL support was developed by Randy Kolenko. Thanks,
Randy!
Please note that any third-party plugins will have to offer support for MS
SQL before they can be installed on Microsoft SQL Server. The bundled
plugins (Calendar, Links, Polls, Spam-X, Static Pages) have already been
updated accordingly.
* Calendar plugin. The formerly built-in calendar and events have now been
moved into a separate plugin. This complements the move of the polls and
links sections into plugins in Geeklog 1.4.0 and makes Geeklog more modular
as you can now easily disable or replace functionality that you don't need
for your site.
* Multi-language support. It is now possible to build truly multi-linugal
sites with Geeklog where not only the navigation but also the content of
the site changes with the language.
* Ships with FCKeditor 2.3.1, which once again includes a file manager for
uploading images.
* A function for mass-deletion of old or inactive users. The list
automatically searches for users that have never logged in, only used the
site for a very short time or have not been online since a very long time.
The time span can be varied, and found users can be selectively deleted.
Security
In the light of the security issues discovered in Geeklog 1.4.0 and earlier
versions, the Geeklog source code has undergone a code review. We have
identified and addressed several minor issues and introduced new measures to
enhance security in this release. As a welcome side effect, the code reviews
have also uncovered a few bugs and inconsistencies that we also fixed in this
release.
Spam Protection
With this release we are finally removing support for the discontinued
MT-Blacklist. In its place, we are now using a system called Spam Link
Verification (SLV) run by Russ Jones at www.linksleeve.org. SLV could be
described as a community-driven, automatically updated blacklist. See the
documentation of the Spam-X plugin for details.
pkgsrc release engineering team.
- Keep current directory with DEINSTALL and INSTALL script.
- remove extra processing with POST-DEINSTALL action from DEINSTALL script.
- Suggest use of additional graphic package.
- Add APACHE_GROUP to BUILD_DEFS.
- install ${GEEKLOG_EXAMPLESDIR}/createdb.php with INSTALL_SCRIPT.
Bump PKGREVISION.
It fixes cross-site-scripting security problem.
Geeklog 1.4.0sr5
JPCERT/CC informed us about a possible XSS in the comment handling that we're
fixing with this release.
----------------------------------------------------------------------------
Two exploits have been released by "rgod" for insecure Geeklog installations
and for a bug in the "mcpuk" file manager that we've been shipping as part of
FCKeditor in all previous 1.4.0 releases.
o Some of the files outside of the public_html directory were not protected
against direct execution. If Geeklog was installed such that those files
were accessible from a URL (which has always been strongly discouraged in
the installation instructions) then those files could be used to load and
execute malicious code from a remote server.
More information: So-called Geeklog "exploit" posted
In this release, we've added the missing execution prevention for all files
outside of public_html. We would still, however, suggest that you fix your
Geeklog install if the files outside of public_html are accessible from a
URL (see our FAQ for details).
o The "mcpuk" file manager that we've integrated into FCKeditor allowed the
upload of arbitrary PHP code (even if FCKeditor was disabled in Geeklog's
config.php). Depending on your webserver's configuration, it was then
possible to execute that uploaded code.
More information: Exploit for FCKeditor's mcpuk file manager
The file manager has been removed from this release. You will therefore no
longer be able to upload files, e.g. images, through FCKeditor. Future
versions of Geeklog will ship with an updated version of FCKeditor and its
included file manager.
Note: This release also includes the updated lib-trackback.php for better
protection against Trackback spam.
----------------------------------------------------------------------------
First problem dosen't related to pkgsrc.
Geeklog is a PHP/MySQL based application for managing dynamic web content.
"Out of the box", it is a blog engine, or a CMS with support for comments,
trackbacks, multiple syndication formats, spam protection, and all the
other vital features of such a system.
