[pmwiki-announce] PmWiki 2.2.2 released -- AuthUser security bugfix.
Petko Yotov
5ko at 5ko.fr
Sun Jun 21 16:03:39 CDT 2009
Hello. I have released pmwiki-2.2.2 stable today, available at :
http://www.pmwiki.org/pub/pmwiki/pmwiki-2.2.2.tgz
http://www.pmwiki.org/pub/pmwiki/pmwiki-2.2.2.zip
svn://www.pmwiki.org/pmwiki/tags/latest
The major news in this release is a fix for an AuthUser vulnerability,
reported by Eemeli Aro.
The vulnerability affects only wikis that (1) rely on the AuthUser core module
for User:Password authentication, -AND- (2) where the PHP installation runs
with the variable "magic_quotes_gpc" disabled.
All PmWiki 2.1.x versions from pmwiki-2.1.beta6 on, all 2.2.betaX, 2.2.0, and
2.2.1 are affected.
The PmWiki SiteAnalyzer can detect if your wiki needs to upgrade:
http://www.pmwiki.org/wiki/PmWiki/SiteAnalyzer
If your wiki is vulnerable, you should do one of the following at the earliest
opportunity:
* Upgrade to a version of PmWiki at least 2.2.2 or greater.
* Turn on magic_quotes_gpc in the php.ini file or in a .htaccess file.
Alternatively, you can temporarily disable AuthUser until you upgrade.
Note that even if your wiki does not have the AuthUser vulnerability at the
moment, you are strongly encouraged to upgrade to PmWiki version 2.2.2 or
later, as some future configuration of your hosting server might put you at
risk.
If upgrading poses a difficulty for any site, please contact me at 5ko at 5ko.fr
for assistance and a patch for older versions of PmWiki can be made
available.
This release also comes with minor updates in the local documentation; fixes
were applied for international wikis - notably global variables in
xlpage-utf-8.php and a new variable $EnableNotifySubjectEncode, which allows
e-mail clients to correctly display the Subject header; and a number of other
small bugs were fixed.
Comments, questions are welcome as always.
Thanks,
Petko
More information about the pmwiki-announce
mailing list