Unfortunately, yet another Geeklog security issue has surfaced: Konstantin Dyakoff found an old bug in the session handling that would allow anyone to log in as any user. This bug exists in all Geeklog versions released since 2002.

To address this serious issue, we are releasing the following security updates and strongly suggest that you upgrade your site as soon as possible.

• Geeklog 1.4.0sr2 (complete tarball and upgrade archive)
• Geeklog 1.3.11sr5 (upgrade from 1.3.11sr4 and a combo update that includes all previous updates)
• Geeklog 1.3.9sr5 (upgrade from 1.3.9sr4)

The 1.4.0sr2 update also strips HTML tags from the location entry in a user's profile (a problem that only existed in 1.4.0). The 1.3.9sr5 update also includes the fixes for the earlier security issues. While Geeklog 1.3.9 isn't officially supported any more, we're making an exception here because of the severity of the issues and since many people still seem to be using that version. Nevertheless, we'd suggest that you upgrade to 1.4.0 at your earliest convenience.

After quite a long delay, I've finally got to v0.5.0 of the Gallery2 integration plugin. This version will allow you to use it with Geeklog 1.4 if you choose to turn off register_globals and automatically maps all users from Geeklog into Gallery2.

You may get more information or download it through my geeklog software page.

v0.5.0 [01 Mar 2006]
* [fix] should work with register_globals off
* [fix] addresses the problem of new users not being able to see the random photo block until after they've visited the gallery
* [new] maps users and their settings into G2 [thanks Anthony Yvanovich]
o whenever a user is added or removed from Geeklog, the user will be added or removed from G2
o whenever a user's info is changed in Geeklog, it will be updated in G2
o when updating to 0.5.0 or installing fresh, all Geeklog users will be mapped into G2

Note: My real work is keeping me too busy to work on this plugin. I will not be able to offer much one-on-one support for it, so please post to the forums whenever possible.

- Andy Maloney

James Bercegay of GulfTech Security Research reported several issues with Geeklog's cookie handling that made it vulnerable to SQL injections, arbitrary file access, and even injection and execution of arbitrary code. To fix those issues, we are releasing Geeklog 1.4.0sr1 and 1.3.11sr4 and strongly suggest that you install those updates as soon as possible.

For Geeklog 1.4.0, there's the complete 1.4.0sr1 tarball as well as an upgrade archive containing only the necessary changes over 1.4.0.

To upgrade from Geeklog 1.3.11sr3, use the 1.3.11sr4 upgrade archive. If you're running on an older 1.3.11 release, you will have to install the previous updates first. You can, of course, always choose to update to 1.4.0sr1 directly, following the usual upgrade instructions.

Upgrading to 1.4.0sr1 is also what we suggest to anyone using a Geeklog version older than 1.3.11, as the reported issues also affect all earlier versions.