Les semaines se suivent et les mises à jour de sécurité aussi. Aujourdhui c'est une correction de l'injection SQL possible dans le module webservices. Sont donc disponibles la tarball complète pour une nouvelle installation, la mise à jour pour la version 1.5.2sr2 et une combo pour la mise à jour de la 1.5.2sr1
Geeklog 1.5.2sr3 addresses the recently published exploit for an SQL injection in the webservices. It is available for download
- as a complete tarball, for fresh installs and upgrades from any earlier release
- as an update for 1.5.2sr2 and
- as a "combo" update, bundling all the changes for 1.5.2sr1 - 1.5.2sr3.
After installing this update, you can enable the webservices again if you need them (or leave them disabled if you don't - they are not an essential feature, unless you happen to be using an AtomPub client to post articles).
After the recent series of security issues, we will of course now take a closer look at Geeklog's source code again and re-evaluate our security measures. What's interesting about the last two exploits, for example, is that they simply were not possible a few years ago, as they rely on new features in MySQL 5. So there's obviously room for improvement here.
A quick overview of our plans for the near future: We're currently wrapping up the selection process for the student applications for this year's Summer of Code (results to be announced on April 20). We will also be publishing a beta version of Geeklog 1.6.0 at around the same time. Any results of a code review will then be available with the final 1.6.0 release (no due date, but tentatively before or around May 23, again in sync with the timeline for the Summer of Code.
Sorry for the recent hassle and we hope you stick with us.