Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: Sven Klemm <sven-z2Gyq0uUrsk <at> public.gmane.org>
Subject: Pentabarf 0.2.7 Security Release
Newsgroups: gmane.network.conferencing.pentabarf.user
Date: Sunday 27th August 2006 21:34:07 UTC (over 11 years ago)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Flex has discovered a bug in the Rails text_area_tag function which
affects Pentabarf. The text_area_tag function lacks proper escaping.
You can test whether your Pentabarf installation is vulnerable
by inserting



into the comment textfield for person. If you get a javascript popup
with the message bad after saving then you are vulnerable.

The URL for the ticket in the rails bugtracker is
http://dev.rubyonrails.org/ticket/5929.

I've backported a fix to this vulnerability to all tags. If you cannot
upgrade to 0.2.7 you should at least update your current version.

There have been a few bugfixes and database changes in this version,
but most importantly there have been a lot of improvements to the
localization. To benefit from these changes you have to update your
ui_messages and ui_messages_localized tables. As these two tables are
referenced nowhere else you can safely delete their entries and insert
the new entries from the sql/data directory.

The general database upgrade-skript can be found under
sql/maintenance/upgrade_0.2.6_0.2.7.sql additionally you should rerun
the views.sql and functions.sql script to update your views and functions.

The full Changelog for this version can be found in the wiki:
http://pentabarf.org/Changelog/0.2.7

The URL for 0.2.7 is svn://svn.cccv.de/pentabarf/tags/0.2.7.
To switch from another tag just enter the following command in the
root of your pentabarf checkout:
 svn switch svn://svn.cccv.de/pentabarf/tags/0.2.7

Greetings,
Sven

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFE8g/PevlgTHEIT4YRAkQhAJ9/8Yy2LHNO5dYZPoTUclNjxlXG4wCfUPyK
P9ALTUTrEtxILLUitiAyewg=
=PHlO
-----END PGP SIGNATURE-----
 
CD: 3ms