Announcing CMS Made Simple 1.6.7 – Teremba Bay

[eirik]

Whatever the cause, reducing the number of changes, tends to help reduce risk.

That's what I said, too. However, I said it in the comments on http://blog.cmsmadesimple.org/2010/02/23/announcing-cms-made-simple-1-6-7-teremba-bay/comment-page-1/#comment-4137. Why there are two separate comment threads in the blog and the forums beats me, but that is another story...

Replied here, as this seemed more active -- and more suitable for discussion. Thought it'd be a good idea to let other's know that we're more people that feel the need for a stable release.

Is there any documentation of the bug anywhere, so that I can evaluate the current risk -- and possibly work out a smaller patch?

The bug is documented at http://0x6a616d6573.blogspot.com/2010/02/cms-made-simple-166-file-inclusion.html. They forgot to link to it from the blog post, but the URL is mentioned in the source code.

Thanks for the link. I was a bit surprised to see the reference to bugtraq -- but I generally read it in bulk, a few times a month, so I hadn't seen the post yet.

I diffed the two releases manually and determined that the security fix seems to be in lib/classes/class.module.inc.php only (and there are no other changes to that file). All the remaining changes seem non-critical, so I simply replaced that file with the new version to be safe before deploying the rest of the new release. It has been running on a relatively busy site for about 34 hours, so at least it didn't break anything.

Thank you for reposting the above information, and details regarding the fix. The original announcement was a bit light on detail.

It appears this is less serious on Linux. Can anyone confirm that ?

[rotezecke]

Upgrading and skipping the error message you mentioned isn't a problem, everything still works fine afterwards.
It looks like at this point the folder 'safari' must be deleted (overwritten) and it won't for some reason...
This folder isn't there in the 1.6.7 package
I deleted the safari folder in question at my testsite and everything is still working like it should be. 

Regards, Rolf 

It appears that the 1.6.6 - 1.6.7 tries to write an empty file named safari into a place where there's a directory named safari.
i moved the directory safari, tar -xzf 'cms...' and realised that the newly written safari is empty. so i deleted the empty file, and moved safari directory back in its place.

i dont know whether the folder safari should be emptied or not.

cheers

[Rolf]

Rotezecke,

The folder 'safari' isn't present when installing a brand new base 1.6.7 version...

Grtz. Rolf

[Cherry]

just a question.....
will there be a corrected version of the base-diff file?

I think it was promised days ago.

Yours
Cherry

[Ted]

New diff files are uploaded. Sorry for the delay.

[jovo]

Great.

1.6.7 also solved a problem with IE8 and compatibility mode.

I recently created a new website with 1.6.7 based on the standard NCleanBlue-template with some adjustments. Very nice template!
Also the integrated News-module works fine.

Thanks a lot!

[stainless]

I've upgraded a few sites and noticed that nothing loads under the 'Profiles' tab from TinyMCE.
Has this been intentionally removed?
(I tried a reset all settings)

It's true, no profiles after upgrade. !?

[Cherry]

It seems that these two files are missing in the base-diff file:

Code:

modules/TinyMCE/function.admin_profiles.php
modules/TinyMCE/templates/profilespanel.tpl

They can be found in the full-diff file.


Yours Cherry