News

Following on the heels of 1.3.8-1sr1 is 1.3.8-1sr2, available as a (tiny) upgrade archive as well as a complete tarball.

Jouko Pynnonen found a way to trick the new "forgot password" feature, that was only introduced in 1.3.8, into letting an attacker change the password for any account. This release addresses this issue - there were no other changes.

Users of 1.3.7sr3 are not affected (as the feature simply didn't exist there).

bye, Dirk

This Geeklog PHP function uses the Gallery Random Block code contibuted by Bhara t Mediratta - Gallery Developer It uses all gallery API calls and does not have a problem with empty albums or r estricted albums.

Please see the INSTALL.txt for notes on changes.

This block has been tested with Geeklog-1.3.8-sr1 and Gallery 1.4-pl1 (installed via the new gallery integration).

Thanks go to Blaine for letting me run with this.

It can be downloaded at LANside.

In response to the recent reports about (confirmed and unconfirmed) security issues in Geeklog, we are releasing updates to Geeklog 1.3.8-1sr1 and 1.3.7sr3, addressing most of these issues (but not all - see below for details). There's also a complete 1.3.8-1sr1 tarball that should be used for fresh installs.

The upgrades include Ulf Harnhammar's kses HTML filter to address possible Javascript injections and CSS defacements.

As for the (still unconfirmed) SQL injections, the upgrades include a fix to the database class that does not display SQL errors in the browser any more (they are only logged in Geeklog's error.log). While this does not safe from SQL injection attempts, it does at least avoid disclosing any sensitive information as part of the error message.

Furthermore, we do not at this time recommend to use Geeklog with MySQL 4.1 (which, I may add, is still in alpha state and thus shouldn't be used on production sites anyway). An upcoming release of Geeklog will address the remaining SQL issues, including any problems with MySQL 4.1.