Geeklog 1.3.8-1sr2
- Tuesday, October 14 2003 @ 04:30 pm EDT
- Contributed by: Dirk
- Views: 15,723
Following on the heels of 1.3.8-1sr1 is 1.3.8-1sr2, available as a (tiny) upgrade archive as well as a complete tarball.
Jouko Pynnonen found a way to trick the new "forgot password" feature, that was only introduced in 1.3.8, into letting an attacker change the password for any account. This release addresses this issue - there were no other changes.
Users of 1.3.7sr3 are not affected (as the feature simply didn't exist there).
bye, Dirk