Geeklog 1.6.1
New Features and Improvements
* Geeklog now lets you enter meta descriptions and meta keywords for the main
page, for stories, topics, static pages, and polls. Please note that these
meta tags may not be used by some search engines.
* You can now have one featured story per topic (for stories set to "Show
only in Topic").
* New autotags now allow you to embed polls in stories and everywhere else
where autotags are allowed.
* The Migrate option in the install script can now also be applied to an
existing database (i.e. you don't need to import a database dump to update
your URLs and paths).
* The Database Backup admin panel now includes options to optimize the
database and convert tables to InnoDB (MySQL only).
* Improved timezone support and let users actually set their own timezone.
* Minor security enhancements:
+ "Important" cookies (like the session cookies) are now created with the
HttpOnly flag set. This will help avoid some XSS attacks, provided your
browser supports this flag.
+ Template errors will now trigger the standard error handler instead of
exposing the template path.
+ Fixed inclusion protection for some of the Spam-X class files.
Please also see the list of theme changes.
Bugfixes
* Fixed automatic closing of stories for comments after a certain amount of
days. If you need to re-open comments on stories that were closed due to
this bug, you can use this SQL request:
UPDATE gl_stories SET commentcode = 0, comment_expire = 0 WHERE commentcode
= 1;
* The comment speed limit was being ignored.
* Fixed a bug in the Group Editor that didn't let you add groups to other
groups (this problem was only introduced in Geeklog 1.6.0).
* The admin group for the Static Pages plugin was created with a wrong name
in Geeklog 1.6.0 (fresh installs only).
* Several tweaks and minor fixes (e.g. compatibility with PHP 4) in the
search.
o Add some pkgsrc patches to improve Content-Type header output.
Geeklog 1.6.0sr2
This release addresses the following security issue:
* Unauthorized file uploads were possible through FCKeditor.
Uploaded files still had to go through FCKeditor's filter, so it was not
possible to upload scripts (and the integrity of the Geeklog site as such
was not in danger). There were, however, reports that this was used to host
malware.
This update prevents use of the upload feature when FCKeditor is disabled
and disables it for anonymous users. It also doesn't allow uploading of
archive files any more. Furthermore, you need some sort of "edit"
permission now to be able to upload files through FCKeditor (this is meant
as an interim measure - we will probably introduce a separate "upload"
permission in future Geeklog versions).
Other fixes:
* Fixed installation using InnoDB tables.
* Fixed a (non-exploitable) SQL error when auto-updating a story's
commentcode field.
* Fixed a wrong function name in the Links plugin.
Geeklog 1.6.0sr1
This release addresses the following security issues:
1. Gerendi Sandor Attila reported an XSS in the forms to email a user and to
email a story to a friend.
2. The "Mail Story to a Friend" function didn't check story permissions, so
that it was possible to email a story even if you didn't have the
permissions to view it on the site.
Other fixes:
* Fixed an SQL error when submitting a story and the story submission queue
was off.
* Fixed calls to a nonexistent function COM_outputMessageAndAbort.
Geeklog 1.6.0
Results from the Summer of Code
This release incorporates the following projects implemented during the the
2008 Google Summer of Code:
* Site migration support and easier plugin installation, by Matt West
* Improved search, by Sami Barakat
* Comment moderation and editable comments, by Jared Wenerd
Other changes
* The minimum PHP version required by Geeklog is now PHP 4.3.0. Given that
the PHP team ended support for PHP 4 in August 2008, you should be looking
into upgrading to PHP 5 anyway.
* Includes FCKeditor 2.6.4.1
* Includes a new plugin, XMLSitemap, that automatically generates a XML
sitemap file, as supported by all major search engines. Plugin written and
provided by mystral-kk.
* Several new plugin API functions have been added and existing functions
have been extended.
* The included documentation has been moved to docs/english to allow for
translations. Links to the documentation from within Geeklog will link to
existing translations for the current language automatically (or fall back
to the English documentation if no suitable translation can be found).
* There were a variety of theme changes to support new functionality and fix
inconsistencies in the layout.
This release also includes a number of patches and improvements made by
students applying for participation in the Google Summer of Code 2009. Thank
you!
as full release.
And add updated fckeditor for Geeklog.
These updates should fix known security problems, Secunia SA36372.
Jul 30, 2009 (1.5.2sr5)
------------
This release addresses the following security issues:
- Gerendi Sandor Attila reported an XSS in the forms to email a user and to
email a story to a friend.
- The "Mail Story to a Friend" function didn't check story permissions, so that
it was possible to email a story even if you didn't have the permissions to
view it on the site.
pkgsrc changes: overhaul this package.
* Add LICENSE.
* Clean up bmake's macros, such as addition of PRINT_PLIST_AWK.
Geeklog changes: too many chagnes to write here.
* New user-friendly installation.
* New Configuration GUI.
* New Webservice GUI.
* And more.
Please refer http://www.geeklog.net/docs/english/changes.html
for more information.
Fixed some security problems about SQL injection vulnerability.
pkgsrc's change: improving our README file.
Geeklog 1.4.1
New Features
* Support for Microsoft SQL Server. Starting with this release, Geeklog can
now also be installed on Microsoft SQL Server, so it's no longer restricted
to just MySQL. The MS SQL support was developed by Randy Kolenko. Thanks,
Randy!
Please note that any third-party plugins will have to offer support for MS
SQL before they can be installed on Microsoft SQL Server. The bundled
plugins (Calendar, Links, Polls, Spam-X, Static Pages) have already been
updated accordingly.
* Calendar plugin. The formerly built-in calendar and events have now been
moved into a separate plugin. This complements the move of the polls and
links sections into plugins in Geeklog 1.4.0 and makes Geeklog more modular
as you can now easily disable or replace functionality that you don't need
for your site.
* Multi-language support. It is now possible to build truly multi-linugal
sites with Geeklog where not only the navigation but also the content of
the site changes with the language.
* Ships with FCKeditor 2.3.1, which once again includes a file manager for
uploading images.
* A function for mass-deletion of old or inactive users. The list
automatically searches for users that have never logged in, only used the
site for a very short time or have not been online since a very long time.
The time span can be varied, and found users can be selectively deleted.
Security
In the light of the security issues discovered in Geeklog 1.4.0 and earlier
versions, the Geeklog source code has undergone a code review. We have
identified and addressed several minor issues and introduced new measures to
enhance security in this release. As a welcome side effect, the code reviews
have also uncovered a few bugs and inconsistencies that we also fixed in this
release.
Spam Protection
With this release we are finally removing support for the discontinued
MT-Blacklist. In its place, we are now using a system called Spam Link
Verification (SLV) run by Russ Jones at www.linksleeve.org. SLV could be
described as a community-driven, automatically updated blacklist. See the
documentation of the Spam-X plugin for details.
It fixes cross-site-scripting security problem.
Geeklog 1.4.0sr5
JPCERT/CC informed us about a possible XSS in the comment handling that we're
fixing with this release.
----------------------------------------------------------------------------
Two exploits have been released by "rgod" for insecure Geeklog installations
and for a bug in the "mcpuk" file manager that we've been shipping as part of
FCKeditor in all previous 1.4.0 releases.
o Some of the files outside of the public_html directory were not protected
against direct execution. If Geeklog was installed such that those files
were accessible from a URL (which has always been strongly discouraged in
the installation instructions) then those files could be used to load and
execute malicious code from a remote server.
More information: So-called Geeklog "exploit" posted
In this release, we've added the missing execution prevention for all files
outside of public_html. We would still, however, suggest that you fix your
Geeklog install if the files outside of public_html are accessible from a
URL (see our FAQ for details).
o The "mcpuk" file manager that we've integrated into FCKeditor allowed the
upload of arbitrary PHP code (even if FCKeditor was disabled in Geeklog's
config.php). Depending on your webserver's configuration, it was then
possible to execute that uploaded code.
More information: Exploit for FCKeditor's mcpuk file manager
The file manager has been removed from this release. You will therefore no
longer be able to upload files, e.g. images, through FCKeditor. Future
versions of Geeklog will ship with an updated version of FCKeditor and its
included file manager.
Note: This release also includes the updated lib-trackback.php for better
protection against Trackback spam.
----------------------------------------------------------------------------
First problem dosen't related to pkgsrc.
Geeklog is a PHP/MySQL based application for managing dynamic web content.
"Out of the box", it is a blog engine, or a CMS with support for comments,
trackbacks, multiple syndication formats, spam protection, and all the
other vital features of such a system.
