News

Geeklog 1.7.2 is a bugfix release only. It does not have any new features. There were no changes in the database, the themes, or the language files, so this should be a painless upgrade for everybody. As announced before, this will also be the last Geeklog version to support PHP 4.

Bugfixes in this version address compatibility issues with PHP 4 in the Static Pages plugin and PostgreSQL support, other Postgres fixes, and fixed handling of the [imageX] tags when changing a story id. A list of all the changed files (since 1.7.1sr1) is included in the tarball in docs/changed-files.

Mark Evans informs us that Saif El-Shere reported XSS in the bbcode of the Forum plugin for glFusion. Due to the shared history of the two projects, these XSS also exist in the Forum plugin for Geeklog. The Forum plugin 2.7.4 fixes these issues.

To upgrade from version 2.7.3, you need to replace these 3 files:

• config.php (for the version number)
• functions.inc (for the upgrade code)
• public_html/include/gf_format.php (which contains the actual fix)

Then simply run the upgrade from Geeklog's Plugin admin panel.

Geeklog 1.7.1sr1 addresses an XSS in the Configuration admin panel, reported by Aung Khant of the YGN Ethical Hacker Group. Due to the built-in CSRF protection this weakness is somewhat harder to exploit but we would nonetheless advise that you secure your site by installing this update ASAP.

In addition to the complete 1.7.1sr1 tarball, there are also update files for Geeklog 1.7.1 and for Geeklog 1.6.1sr1 that contain only a fixed version of the affected file (see the included README file for installation instructions).

Users of older Geeklog releases should consider upgrading to Geeklog 1.7.1sr1 soon (use the complete 1.7.1sr1 tarball to upgrade from any older version).