0.9.6
------
- Plugins were creatd in toolbar even if they were asked not to in pop up
windows, fixed.
- Fixed Window Orphan and New Window popups so that they don't display
menubars and other uwanted contents.
- Implemented ContentHandler so that we dont see Mozilla's ugly File picker
which did not work for save even! - Now we display our own file picker and
then redirect for mozilla download for those users who opt to use Mozilla's
own MIME info/downloading or direct to user's own downloader.
0.9.5
-----
- Plugin compile was broken, fixed.
- Changed a plugin function (skipstone_load_url) to (skipstone_load_url_cb)
to distinguish from skipstone's internal message.
- Distribution cleanups.
XXX We really should make this package compile with recent firefox/seamonkey
versions, otherwise it will soon become unusable (with mozilla no longer
being maintained). I had a patch to make it compile with Firefox 1.0.x,
but it no longer works for Firefox 1.5.x.
A WikiWikiWeb is a collaborative hypertext environment, with an
emphasis on easy access to and modification of information. MoinMoin
is a Python WikiClone that allows you to easily set up your own wiki,
only requiring a Python installation.
Changes:
* Improved stability
* Several security fixes (see below)
* A bug was introduced in SeaMonkey 1.0.2 that sometimes caused the URL bar to
stop working properly when switching tabs. This has been fixed. (Bug 332874)
* If you have more bookmarks on your personal toolbar than there is space for,
the ">>" overflow icon will now display more reliably (Bug 338803)
* If you choose to update SeaMonkey when it notifies you that an update is
available, the update page will load in a more useful browser window (with
navigation buttons and toolbars) (Bug 334903)
Security fixes:
MFSA 2006-56 chrome: scheme loading remote content
MFSA 2006-55 Crashes with evidence of memory corruption (rv:1.8.0.5)
MFSA 2006-54 XSS with XPCNativeWrapper(window).Function(...)
MFSA 2006-53 UniversalBrowserRead privilege escalation
MFSA 2006-52 PAC privilege escalation using Function.prototype.call
MFSA 2006-51 Privilege escalation using named-functions and redefined "new Object()"
MFSA 2006-50 JavaScript engine vulnerabilities
MFSA 2006-49 Heap buffer overwrite on malformed VCard
MFSA 2006-48 JavaScript new Function race condition
MFSA 2006-47 Native DOM methods can be hijacked across domains
MFSA 2006-46 Memory corruption with simultaneous events
MFSA 2006-45 Javascript navigator Object Vulnerability
MFSA 2006-44 Code execution through deleted frame reference
For a detailed ChangeLog, see:
http://www.mozilla.org/projects/seamonkey/releases/seamonkey1.0.3/changelog.html
Changes with Apache 1.3.37
*) SECURITY: CVE-2006-3747 (cve.mitre.org)
mod_rewrite: Fix an off-by-one security problem in the ldap scheme
handling. For some RewriteRules this could lead to a pointer being
written out of bounds. Reported by Mark Dowd of McAfee.
[Mark Cox]
security problems with 1.5.0.4. No functional changes at all in the
package -- this is purely a security update.
See CERT advisory TA06-208A (last revised July 27) for details.
to version 2.0.59. Changes since *2.0.58:
- SECURITY: CVE-2006-3747 (cve.mitre.org)
mod_rewrite: Fix an off-by-one security problem in the ldap scheme
handling. For some RewriteRules this could lead to a pointer being
written out of bounds. Reported by Mark Dowd of McAfee.
If ${FILESDIR}/getsite.sh exists, then use it to determine the fetch
URL for each of the distfiles for the package. Otherwise, use
SITE_<file> and MASTER_SITES, in order, to determine the URL for each
distfile.
If the script path differs from ${FILESDIR}/getsite.sh, then set
DYNAMIC_SITE_SCRIPT to the full path to that script.
Remove the need to set DYNAMIC_MASTER_SITES explicitly in the package
Makefile for:
graphics/ns-cult3d
wm/sawfish-themes
www/apache-tomcat55
www/jakarta-tomcat4
www/jakarta-tomcat5
pkgsrc release engineering team.
- Keep current directory with DEINSTALL and INSTALL script.
- remove extra processing with POST-DEINSTALL action from DEINSTALL script.
- Suggest use of additional graphic package.
- Add APACHE_GROUP to BUILD_DEFS.
- install ${GEEKLOG_EXAMPLESDIR}/createdb.php with INSTALL_SCRIPT.
Bump PKGREVISION.
since they always need a C compiler, even when the source code is
completely in C++.
For some other packages, stated in the comment that a C compiler is
really not needed.
2006-04-28 Gisle Aas
Release 3.54
Yaakov Belch discovered yet another issue with <script> parsing.
Enabling of 'empty_element_tags' got the parser confused
if it found such a tag for elements that are normally parsed
in literal mode. Of these <script src="..."/> is the only
one likely to be found in documents.
<http://rt.cpan.org//Ticket/Display.html?id=18965>
2006-04-27 Gisle Aas
Release 3.53
When ignore_element was enabled it got confused if the
corresponding tags did not nest properly; the end tag
was treated it as if it was a start tag.
Found and fixed by Yaakov Belch
<http://rt.cpan.org/Ticket/Display.html?id=18936>
2006-04-26 Gisle Aas
Release 3.52
Make sure the 'start_document' fires exactly once for
each document parsed. For earlier releases it did not
fire at all for empty documents and could fire multiple
times if parse was called with empty chunks.
Documentation tweaks and typo fixes.
2006-03-22 Gisle Aas
Release 3.51
Named entities outside the Latin-1 range are now only expanded
when properly terminated with ";". This makes HTML::Parser
compatible with Firefox/Konqueror/MSIE when it comes to how these
entities are expanded in attribute values. Firefox does expand
unterminated non-Latin-1 entities in plain text, so here
HTML::Parser only stays compatible with Konqueror/MSIE.
Fixes <http://rt.cpan.org/Ticket/Display.html?id=17962>.
Fixed some documentation typos spotted by william at knowmad.com.
<http://rt.cpan.org/Ticket/Display.html?id=18062>
Changes with Apache 1.3.36
*) Reverted SVN rev #396294 due to unwanted regression.
The new feature introduced in 1.3.35 (Allow usage of the
"Include" configuration directive within previously "Include"d
files) has been removed in the meantime.
(http://svn.apache.org/viewcvs?rev=396294&view=rev)
Changes with Apache 1.3.35
*) SECURITY: CVE-2005-3352 (cve.mitre.org)
mod_imap: Escape untrusted referer header before outputting in HTML
to avoid potential cross-site scripting. Change also made to
ap_escape_html so we escape quotes. Reported by JPCERT.
[Mark Cox]
*) core: Allow usage of the "Include" configuration directive within
previously "Include"d files. [Colm MacCarthaigh]
*) HTML-escape the Expect error message. Not classed as security as
an attacker has no way to influence the Expect header a victim will
send to a target site. Reported by Thiago Zaninotti [Mark Cox]
*) mod_cgi: Remove block on OPTIONS method so that scripts can
respond to OPTIONS directly rather than via server default.
[Roy Fielding] PR 15242
had actually been ignoring LTCONFIG_OVERRIDE anyway and just using
the default LIBTOOL_OVERRIDE to replace libtool scripts in packages.
This just formalizes the fact that LTCONFIG_OVERRIDE is not used
meaningfully by pkgsrc.
version: 0.18
date: Wed Mar 8 02:06:47 PST 2006
changes:
- Made Test.Base stuff its own module. Now Jemplate relies on that module.
- Christian Hansen added a simple daemon for running tests.
- Cees Hek added all hash virtual methods (except `import` which caused
major grief)
- Cees monkeyed around in the Stash lookup code
- Yann K implemented the `replace` filter
- Ingy made `foo.bar()` always call a method `bar`.
- Ingy completely refactored Test.Base and then proceeded to refactor the
Jemplate test suite in kind.
- gugod pulled over some uri escaping code from Kwiki
- chansen tweaked the daemon to honor caching rules
- Cory Bennett fixed some bug having to do with a Javascript String object.
- Cees fixed the defaults for the `indent` and `truncate` filters.
- Stephen Howard reported that Jemplate was not localising the stash for
the INCLUDE directive, and he even supplied a patch, but Ingy had
already made the fix.
- Ingy played with the Stash lookup code and hopefully got it just perfect.
- Ingy added support for the DEFAULT directive.
- Lots more tests in this release.
It fixes cross-site-scripting security problem.
Geeklog 1.4.0sr5
JPCERT/CC informed us about a possible XSS in the comment handling that we're
fixing with this release.
Major changes compared to Horde 3.1.1 are:
* Security Fixes
- Closed XSS problems in dereferrer (IE only), help viewer and problem
reporting screen.
- Removed unused image proxy code from dereferrer.
* Bugfixes and improvements
- Added configuration option to disable GET-based sessions.
- Added Oracle and generic SQL upgrade scripts.
- Improved default charset support.
- Improved API and RPC interface.
- Fixed the preference cache.
The full list of changes (from version 3.1.1) can be viewed here:
http://cvs.horde.org/diff.php/horde/docs/CHANGES?r1=1.515.2.231&r2=1.515.2.252&ty=h
Pkgsrc changes:
- Introduced USE_LANGUAGES.
Relevant changes since version 3.19_01:
=======================================
[THINGS THAT MAY BREAK YOUR CODE]
* The store_declarations() method has been restored, but defaults
to true instead of false.
[THINGS THAT MAY BREAK YOUR CODE]
* The store_declarations() method has been removed.
* Non-closing HTML tags like <IMG> are now rendered as <IMG />.
* All values in tags are now double-quoted. Previously, all-numeric
values weren't quoted.
Pkgsrc changes:
- none
Relevant changes since version 3.11:
====================================
Version 3.20
1. Patch from David Wheeler for CGI::Cookie->bake(). Uses mod_perl
headers_out->add() rather than headers_out->set().
2. Fixed problem identified by Andrei Voronkov in which start_form()
output was screwed up when initial argument begins with a dash and
subsequent arguments do not.
3. Quashed uninitialized variable warnings coming from script_name(),
url() and other functions that require access to the PATH_INFO
environment variable.
Version 3.19
1. Added patch from Stephen Frost that allows one to suppress use of the
temp file that is created during uploads.
2. Fixed problem noted by Martin Foster in which regular expression
meta-character terms in the path information were not quoted, causing
URL parsing to fail on URLs that contained metacharacters (such as +).
3. More fixes to the url() method.
4. Removed "hack to fix broken PATH_INFO in MSII".
Version 3.18
1. Doc typo fixes.
2. Patch from Steve Peters to default the document type to match the charset.
3. Fixed param() so that param(-name=>'foo',-values=>[]) sets the
parameter to empty list.
Version 3.17 Fri Feb 24 14:01:27 EST 2006
1. Added patch from Mike Hanafey which caused 0 arguments to
CGI::Cookie->new() to be treated as empty.
2. Patch to CGI::Carp from Peter Whaite to fix the unfixable problem of
CGI::Carp not behaving correctly in an eval() context.
3. CGI::Fast->new() calls CGI->_reset_globals to avoid contamination of
one session with another's variables.
4. Fixed upload failure on files that contain semicolons in their names.
Version 3.16 Wed Feb 8 13:29:11 EST 2006
1. header() -charset option now works even when the MIME type is not "text".
2. Fixed documentation for cookie() function and fastCGI.
3. Upload filehandles now only closed automatically on Windows systems.
4. Apache::Cookie compatibility fix from David Wheeler
5. CGI::Carp->fatalsToBrowser() does not work correctly with
mod_perl 2. No workaround is known.
6. Fixed text status code associated with 302 redirects. Should be "Found"
but was "Moved".
7. Fixed charset in start_html() and header() to be in synch.
Version 3.14 Tue Dec 6 17:12:03 EST 2005
1. Fixed broken scrolling_list() select attribute.
Version 3.14 Tue Dec 6 17:12:03 EST 2005
1. Fixed broken scrolling_list() select attribute.
Version 3.13
1. Removed extraneous empty "?" from end of self_url().
Version 3.12
1. Fixed virtual_port so that it works properly with https protocol.
2. Fixed documentation for upload_hook().
3. Added POSTDATA documentation.
4. Made upload_hook() work in function-oriented mode.
5. Fixed POST_MAX behavior so that it doesn't cause client to hang.
6. Disabled automatic tab indexes and added new -tabindex pragma to
turn automatic indexes back on.
7. The url() and self_url() methods now work better in the context of Apache
mod_rewrite. Be advised that path_info() may give you confusing results
when mod_rewrite is active because Apache calculates the path info
*after* rewriting. This is mostly worked around in url() and self_url(),
but you may notice some anomalies.
8. Removed empty (and non-validating) <div> from code emitted by end_form().
9. Fixed CGI::Carp to work correctly with Mod_perl 1.29 in an Apache 2
environment.
10. Setting $CGI::TMPDIRECTORY should now be effective.
none
Changes:
Trac-0.9.6-ja-1 (Jul 7, 2006)
* Merge trac-0.9.6
* Update to current statement.
* README.trac-ja
* wiki-default/TracJa
Trac 0.9.6 (Jul 6, 2006)
http://svn.edgewall.com/repos/trac/tags/trac-0.9.6
* Fixed reStructuredText breach of privacy and denial of service
* vulnerability
found by Felix Wiemann.
* trac-post-commit-hook fixes.
* Fixed bugs: #2894, #3058, #3209#3325.
From PR pkg/33942 by Akio OBATA.
Changes:
* Fixed reStructuredText breach of privacy and denial of service
vulnerability found by Felix Wiemann.
* trac-post-commit-hook fixes.
* Fixed bugs: #2894, #3058, #3209#3325.
- Moved the binary from sbin to bin, since the manual page is also in
category 1.
- Replaced /var with ${VARBASE}.
- Sorted PLIST.
- Bumped PKGREVISION.
and add a new helper target and script, "show-buildlink3", that outputs
a listing of the buildlink3.mk files included as well as the depth at
which they are included.
For example, "make show-buildlink3" in fonts/Xft2 displays:
zlib
fontconfig
iconv
zlib
freetype2
expat
freetype2
Xrender
renderproto
set OVERRIDE_DIRDEPTH to find any libtool scripts deeper in the WRKSRC
tree unless they're named something other than "libtool".
SHLIBTOOL_OVERRIDE generally doesn't need to be specified either -- just
define it to the empty list and shlibtool-override will look for libtool
scripts.
Version 7.15.4 (12 June 2006)
Daniel (8 June 2006)
- Brian Dessent fixed the code for cygwin in three distinct ways:
The first modifies {lib,src}/setup.h to not include the winsock headers
under Cygwin. This fixes the reported build problem. Cygwin attempts as
much as possible to emulate a posix environment under Windows. This means
that WIN32 is *not* #defined and (to the extent possible) everything is done
as it would be on a *ix type system. Thus <sys/socket.h> is the proper
include, and even though winsock2.h is present, including it just introduces
a whole bunch of incompatible socket API stuff.
The second is a patch I've included in the Cygwin binary packages for a
while. It skips two unnecessary library checks (-lwinmm and -lgdi32). The
checks are innocuous and they do succeed, but they pollute LIBS with
unnecessary stuff which gets recorded as such in the libcurl.la file, which
brings them into the build of any libcurl-downstream. As far as I know
these libs are really only necessary for mingw, so alternatively they could
be designed to only run if $host matches *-*-mingw* but I took the safer
route of skipping them for *-*-cygwin*.
The third patch replaces all uses of the ancient and obsolete __CYGWIN32__
with __CYGWIN__. Ref: <http://cygwin.com/ml/cygwin/2003-09/msg01520.html>.
Daniel (7 June 2006)
- Mikael Sennerholm provided a patch that added NTLM2 session response support
to libcurl. The 21 NTLM test cases were again modified to comply...
Daniel (27 May 2006)
- Óscar Morales Vivó updated the libcurl.framework.make file.
Daniel (26 May 2006)
- Olaf Stüben fixed a bug that caused Digest authentication with md5-sess to
fail. When using the md5-sess, the result was not Md5 encoded and Base64
transformed.
Daniel (25 May 2006)
- Michael Wallner provided a patch that allows "SESS" to be set with
CURLOPT_COOKIELIST, which then makes all session cookies get cleared.
Daniel (24 May 2006)
- Tor Arntsen made test 271 run fine again since the TFTP path fix.
Daniel (23 May 2006)
- Martin Michlmayr filed debian bug report #367954, but the same error also
showed up in the autobuilds. It seems a rather long-since introduced shell
script flaw in the configure script suddenly was detected by the bash
version in Debian Unstable. It had previously passed undetected by all
shells used so far...
- David McCreedy updated lib/config-tpf.h
Daniel (11 May 2006)
- Fixed the configure's check for old-style SSLeay headers since I fell over a
case with a duplicate file name (a krb4 implementation with an err.h
file). I converted the check to manually make sure three of the headers are
present before considering them fine.
- David McCreedy provided a fix for CURLINFO_LASTSOCKET that does extended
checks on the to-be-returned socket to make sure it truly seems to be alive
and well. For SSL connection it (only) uses OpenSSL functions.
Daniel (10 May 2006)
- Fixed DICT in two aspects:
1 - allow properly URL-escaped words, like using %20 for spaces
2 - properly escape certain letters within a word to comply to the RFC2229
Daniel (9 May 2006)
- Andreas Ntaflos reported a bug in libcurl.m4: When configuring my GNU
autotools project, which optionally (default=yes) uses libcurl on a system
without a (usable) libcurl installation, but not specifying
`--without-libcurl', configure determines correctly that no libcurl is
available, however, the LIBCURL variable gets expanded to `LIBCURL = -lcurl'
in the resulting Makefiles.
David Shaw fixed the flaw.
- Robson Braga Araujo fixed two problems in the recently added non-blocking SSL
connects. The state machine was not reset properly so that subsequent
connects using the same handle would fail, and there were two memory leaks.
- Robson Braga Araujo fixed a memory leak when you added an easy handle to a
multi stack and that easy handle had already been used to do one or more
easy interface transfers, as then the code threw away the previously used
DNS cache without properly freeing it.
Daniel (8 May 2006)
- Dan Fandrich went over the TFTP code and he pointed out and fixed numerous
problems:
* The received file is corrupted when a packet is lost and retransmitted
(this is a serious problem!)
* Transmitting a file aborts if a block is lost and retransmitted
* Data is stored in the wrong location in the buffer for uploads, so uploads
always fail (I don't see how it could have ever worked, but it did on x86
at least)
* A number of calls are made to strerror instead of Curl_strerror, making
the code not thread safe
* There are references to errno instead of Curl_sockerrno(), causing
incorrect error messages on Windows
* The file name includes a leading / which violates RFC3617. Doing something
similar to ftp, where two slashes after the host name means an absolute
reference seems a reasonable extension to fix this.
* Failures in EBCDIC conversion are not propagated up to the caller but are
silently ignored
- Fixed known bug #28. The TFTP code no longer assumes a packed struct and
thus works reliably on more platforms.
Daniel (5 May 2006)
- Roland Blom filed bug report #1481217
(http://curl.haxx.se/bug/view.cgi?id=1481217), with follow-ups by Michele
Bini and David Byron. libcurl previously wrongly used GetLastError() on
windows to get error details after socket-related function calls, when it
really should use WSAGetLastError() instead.
When changing to this, the former function Curl_ourerrno() is now instead
called Curl_sockerrno() as it is necessary to only use it to get errno from
socket-related functions as otherwise it won't work as intended on Windows.
Daniel (4 May 2006)
- Mark Eichin submitted bug report #1480821
(http://curl.haxx.se/bug/view.cgi?id=1480821) He found and identified a
problem with how libcurl dealt with GnuTLS and a case where gnutls returned
GNUTLS_E_AGAIN indicating it would block. It would then return an unexpected
return code, making Curl_ssl_send() confuse the upper layer - causing random
28 bytes trash data to get inserted in the transfered stream.
The proper fix was to make the Curl_gtls_send() function return the proper
return codes that the callers would expect. The Curl_ossl_send() function
already did this.
Daniel (2 May 2006)
- Added a --checkfor option to curl-config to allow users to easier
write for example shell scripts that test for the presence of a
new-enough libcurl version. If --checkfor is given a version string
newer than what is currently installed, curl-config will return a
non-zero exit code and output a string about the unfulfilled
requirement.
Daniel (26 April 2006)
- David McCreedy brought initial line end conversions when doing FTP ASCII
transfers. They are done on non-windows systems and translate CRLF to LF.
I modified the 15 LIST-using test cases accordingly. The downside is that now
we'll have even more trouble to get the tests to run on Windows since they
should get CRLF newlines left intact which the *nix versions don't. I figure
the only sane thing to do is to add some kind of [newline] macro for the test
case files and have them expanded to the proper native line ending when the
test cases are run. This is however left to implement.
Daniel (25 April 2006)
- Paul Querna fixed libcurl to better deal with deflate content encoding
when the stream (wrongly) lacks a proper zlib header. This seems to be the
case on too many actual server implementations.
Daniel (21 April 2006)
- Ale Vesely fixed CURLOPT_INTERFACE when using a hostname.
Daniel (19 April 2006)
- Based on previous info from Tor Arntsen, I made configure detect the Intel
ICC compiler to add a compiler option for it, in order for configure to
properly be able to detect function prototypes.
- Robson Braga Araujo provided a patch that makes libcurl less eager to close
the control connection when using FTP, for example when you remove an easy
handle from a multi stack.
- Applied a patch by Ates Goral and Katie Wang that corrected my bad fix
attempt from April 10.
Daniel (11 April 2006)
- #1468330 (http://curl.haxx.se/bug/view.cgi?id=1468330) pointed out a bad
typecast in the curl tool leading to a crash with (64bit?) VS2005 (at least)
since the struct timeval field tv_sec is an int while time_t is 64bit.
Daniel (10 April 2006)
- Ates Goral found out that if you specified both CURLOPT_CONNECTTIMEOUT and
CURLOPT_TIMEOUT, the _longer_ time would wrongly be used for the SSL
connection time-out!
- I merged my hiper patch (http://curl.haxx.se/libcurl/hiper/) into the main
sources. See the lib/README.multi_socket for implementation story with
details. Don't expect it to work fully yet. I don't intend to blow any
whistles or ring any bells about it until I'm more convinced it works at
least somewhat reliably.
Daniel (7 April 2006)
- David McCreedy's EBCDIC and TPF changes. Three new curl_easy_setopt()
options (callbacks) were added:
CONV_FROM_NETWORK_FUNCTION
CONV_TO_NETWORK_FUNCTION
CONV_FROM_UTF8_FUNCTION
Daniel (5 April 2006)
- Michele Bini modified the NTLM code to work for his "weird IIS case"
(http://curl.haxx.se/mail/lib-2006-02/0154.html) by adding the NTLM hash
function in addition to the LM one and making some other adjustments in the
order the different parts of the data block are sent in the Type-2 reply.
Inspiration for this work was taken from the Firefox NTLM implementation.
I edited the existing 21(!) NTLM test cases to run fine with these news. Due
to the fact that we now properly include the host name in the Type-2 message
the test cases now only compare parts of that chunk.
Daniel (28 March 2006)
- #1451929 (http://curl.haxx.se/bug/view.cgi?id=1451929) detailed a bug that
occurred when asking libcurl to follow HTTP redirects and the original URL
had more than one question mark (?). Added test case 276 to verify.
Daniel (27 March 2006)
- David Byron found a problem multiple -d options when libcurl was built with
--enable-debug, as then curl used free() on memory allocated both with
normal malloc() and with libcurl-provided functions, when the latter MUST be
freed with curl_free() in debug builds.
Daniel (26 March 2006)
- Tor Arntsen figured out that TFTP was broken on a lot of systems since we
called bind() with a too big argument in the 3rd parameter and at least
Tru64, AIX and IRIX seem to be very picky about it.
Daniel (21 March 2006)
- David McCreedy added CURLINFO_FTP_ENTRY_PATH.
- Xavier Bouchoux made the SSL connection non-blocking for the multi interface
(when using OpenSSL).
- Tor Arntsen fixed the AIX Toolbox RPM spec
Daniel (20 March 2006)
- David McCreedy fixed libcurl to no longer ignore AUTH failures and now it
reacts properly according to the CURLOPT_FTP_SSL setting.
- Dan Fandrich fixed two TFTP problems: Fixed a bug whereby a received file
whose length was a multiple of 512 bytes could have random garbage
appended. Also, stop processing TFTP packets which are too short to be
legal.
- Ilja van Sprundel reported a possible crash in the curl tool when using
"curl hostwithoutslash -d data -G"
These Python modules provide simple yet powerful multi-threaded
object-oriented CGI/FastCGI/mod_python/html-templating facilities for
the Python programming language.
----------------------------------------------------------------------------
Two exploits have been released by "rgod" for insecure Geeklog installations
and for a bug in the "mcpuk" file manager that we've been shipping as part of
FCKeditor in all previous 1.4.0 releases.
o Some of the files outside of the public_html directory were not protected
against direct execution. If Geeklog was installed such that those files
were accessible from a URL (which has always been strongly discouraged in
the installation instructions) then those files could be used to load and
execute malicious code from a remote server.
More information: So-called Geeklog "exploit" posted
In this release, we've added the missing execution prevention for all files
outside of public_html. We would still, however, suggest that you fix your
Geeklog install if the files outside of public_html are accessible from a
URL (see our FAQ for details).
o The "mcpuk" file manager that we've integrated into FCKeditor allowed the
upload of arbitrary PHP code (even if FCKeditor was disabled in Geeklog's
config.php). Depending on your webserver's configuration, it was then
possible to execute that uploaded code.
More information: Exploit for FCKeditor's mcpuk file manager
The file manager has been removed from this release. You will therefore no
longer be able to upload files, e.g. images, through FCKeditor. Future
versions of Geeklog will ship with an updated version of FCKeditor and its
included file manager.
Note: This release also includes the updated lib-trackback.php for better
protection against Trackback spam.
----------------------------------------------------------------------------
First problem dosen't related to pkgsrc.
