Announcing CMSMS 1.9.4.3 - Important Security Release
-
- Support Guru
- Posts: 8169
- Joined: Tue Oct 19, 2004 6:44 pm
- Location: Fernie British Columbia, Canada
Announcing CMSMS 1.9.4.3 - Important Security Release
Today we have released CMSMS 1.9.4.3, a minor release that fixes a single security issue in the news module. Essentially, a malicious person could via accessing a sincle URL corrupt your news articles.
This issue has been around for a long time, and only recently came to light. We recommend that everybody upgrade their CMSMS installs as soon as possible.
There is no database schema change in this version, therefore we have provided 'patch' versions to make this easier for those that are running a recent version of CMSMS. You should be able to download the appropriate 'diff' package, and upload it directly to your site(s).
Thank you for your time and consideration.
We would like to thank the people that reported this issue in a professional and mature manner.
This issue has been around for a long time, and only recently came to light. We recommend that everybody upgrade their CMSMS installs as soon as possible.
There is no database schema change in this version, therefore we have provided 'patch' versions to make this easier for those that are running a recent version of CMSMS. You should be able to download the appropriate 'diff' package, and upload it directly to your site(s).
Thank you for your time and consideration.
We would like to thank the people that reported this issue in a professional and mature manner.
Follow me on twitter
Please post system information from "Extensions >> System Information" (there is a bbcode option) on all posts asking for assistance.
--------------------
If you can't bother explaining your problem well, you shouldn't expect much in the way of assistance.
Please post system information from "Extensions >> System Information" (there is a bbcode option) on all posts asking for assistance.
--------------------
If you can't bother explaining your problem well, you shouldn't expect much in the way of assistance.
-
- Support Guru
- Posts: 8169
- Joined: Tue Oct 19, 2004 6:44 pm
- Location: Fernie British Columbia, Canada
Re: Announcing CMSMS 1.9.4.3 - Important Security Release
Yeah the forge is down... please stand by.
Follow me on twitter
Please post system information from "Extensions >> System Information" (there is a bbcode option) on all posts asking for assistance.
--------------------
If you can't bother explaining your problem well, you shouldn't expect much in the way of assistance.
Please post system information from "Extensions >> System Information" (there is a bbcode option) on all posts asking for assistance.
--------------------
If you can't bother explaining your problem well, you shouldn't expect much in the way of assistance.
-
- Support Guru
- Posts: 8169
- Joined: Tue Oct 19, 2004 6:44 pm
- Location: Fernie British Columbia, Canada
Re: Announcing CMSMS 1.9.4.3 - Important Security Release
it's back... thanks for your patience.
Follow me on twitter
Please post system information from "Extensions >> System Information" (there is a bbcode option) on all posts asking for assistance.
--------------------
If you can't bother explaining your problem well, you shouldn't expect much in the way of assistance.
Please post system information from "Extensions >> System Information" (there is a bbcode option) on all posts asking for assistance.
--------------------
If you can't bother explaining your problem well, you shouldn't expect much in the way of assistance.
-
- Forum Members
- Posts: 21
- Joined: Thu Mar 23, 2006 11:06 am
Re: Announcing CMSMS 1.9.4.3 - Important Security Release
I got the cmsmsmadesimple-english-diff1.9.4.2-1.9.4.3 and tested on my local install. The tiny MCE updates change the text on the drop-downs to “advanced.style”, “advanced.paragraph” etc. instead of "Styles", "Format" etc. I re-copied modules/TinyMCE from the 1.9.4.2 release but this didn't fix the problem.
Are the TinyMCE files required for the security upgrade ?
Steve
Are the TinyMCE files required for the security upgrade ?
Steve
-
- Power Poster
- Posts: 751
- Joined: Fri Sep 12, 2008 2:34 pm
- Location: Schweiz / Switzerland
Re: Announcing CMSMS 1.9.4.3 - Important Security Release
Please update tinymce to 2.9.1 in this release. when i don't use the diff, there are problems when i overwrite 2.9.1 with this release.
-
- Support Guru
- Posts: 8169
- Joined: Tue Oct 19, 2004 6:44 pm
- Location: Fernie British Columbia, Canada
Re: Announcing CMSMS 1.9.4.3 - Important Security Release
Thank you for your deteiled message. Were you running a stock version of CMSMS 1.9.4.2 ? or had you customized TinyMCE.
tractorboy wrote:I got the cmsmsmadesimple-english-diff1.9.4.2-1.9.4.3 and tested on my local install. The tiny MCE updates change the text on the drop-downs to “advanced.style”, “advanced.paragraph” etc. instead of "Styles", "Format" etc. I re-copied modules/TinyMCE from the 1.9.4.2 release but this didn't fix the problem.
Are the TinyMCE files required for the security upgrade ?
Steve
Follow me on twitter
Please post system information from "Extensions >> System Information" (there is a bbcode option) on all posts asking for assistance.
--------------------
If you can't bother explaining your problem well, you shouldn't expect much in the way of assistance.
Please post system information from "Extensions >> System Information" (there is a bbcode option) on all posts asking for assistance.
--------------------
If you can't bother explaining your problem well, you shouldn't expect much in the way of assistance.
Re: Announcing CMSMS 1.9.4.3 - Important Security Release
Same for me. And I have a stock install. All tab text has changed to a smarty tags. Add image also.
Re: Announcing CMSMS 1.9.4.3 - Important Security Release
I am in the same situation as dmgd and tractorboy...
Upgraded from tinymce 2.8.4 to 2.9.1 (overwriting old folder with new) followed by upgrade of CMSMS from 1.9.4.2 to 1.9.4.3 by unzipping the diff file.
As well as smarty/dropdown problems, other things i noticed re style dropdown: when you make a selection the correct class is applied to the tag in the content, but tiny is no longer seeing the content stylesheet. (Style attributes specified for tinymce's own body tag still work).
Upgraded from tinymce 2.8.4 to 2.9.1 (overwriting old folder with new) followed by upgrade of CMSMS from 1.9.4.2 to 1.9.4.3 by unzipping the diff file.
As well as smarty/dropdown problems, other things i noticed re style dropdown: when you make a selection the correct class is applied to the tag in the content, but tiny is no longer seeing the content stylesheet. (Style attributes specified for tinymce's own body tag still work).
Re: Announcing CMSMS 1.9.4.3 - Important Security Release
I was going to upgrade a number of sites using this release but I'm now nervous and hanging fire. Please advise.
Re: Announcing CMSMS 1.9.4.3 - Important Security Release
It is because all TinyMCE files seem to be 0 bytes in the diff package
Re: Announcing CMSMS 1.9.4.3 - Important Security Release
jospanner wrote:I was going to upgrade a number of sites using this release but I'm now nervous and hanging fire. Please advise.
upgraded several sites using the full diff file. One one of them I received this error for a short while after the upgrade:
Attempt to use ADODB from outside of CMS"
After clearing cache and buffers the error was gone. No clue what has caused the temporary error message.
Upgrade of TimyMCE was more of a problem. Download from the modulemanager isn't working in none of my CMS sites. Either a bad checksum after download, of the download isn't available. Manual download from Sourceforge and upload to the modules folder is neccesary.
Hope this helps to make you less nervous.
greetings
Marc
Re: Announcing CMSMS 1.9.4.3 - Important Security Release
I tried uploading via XML but have the issue that the filepicker is not visible once I run the latest version of TINYMCE. It seems to be the 2.9.1 version doesn't work with 1.9.4.3? I agree the Module Manager doesn't work.
It has German text in the Module Manager too.
So I have upgraded using the full files to 1.9.4.3 but left the TINYMCE as version 2.8.4.
Any way around it to be able to upgrade to the latest TINYMCE would be good.
Thanks all.
PS - Just spotted this is an issue already reported http://dev.cmsmadesimple.org/bug/view/6666
When will it be fixed?
It has German text in the Module Manager too.
So I have upgraded using the full files to 1.9.4.3 but left the TINYMCE as version 2.8.4.
Any way around it to be able to upgrade to the latest TINYMCE would be good.
Thanks all.
PS - Just spotted this is an issue already reported http://dev.cmsmadesimple.org/bug/view/6666
When will it be fixed?
Last edited by jospanner on Wed Aug 31, 2011 8:50 am, edited 1 time in total.
-
- Forum Members
- Posts: 21
- Joined: Thu Mar 23, 2006 11:06 am
Re: Announcing CMSMS 1.9.4.3 - Important Security Release
It's the stock version of TinyMCE. The Modules sceen gives the version as 2.8.4
calguy1000 wrote:Thank you for your deteiled message. Were you running a stock version of CMSMS 1.9.4.2 ? or had you customized TinyMCE.
tractorboy wrote:I got the cmsmsmadesimple-english-diff1.9.4.2-1.9.4.3 and tested on my local install. The tiny MCE updates change the text on the drop-downs to “advanced.style”, “advanced.paragraph” etc. instead of "Styles", "Format" etc. I re-copied modules/TinyMCE from the 1.9.4.2 release but this didn't fix the problem.
Are the TinyMCE files required for the security upgrade ?
Steve
Re: Announcing CMSMS 1.9.4.3 - Important Security Release
I have the same issue. Was running 2.8.4. If I upgrade to 2.9.1 (Module Manager doesn't work) have to do it via XML then TINYMCE has issues. Doesn't show filepicker when trying to add an image for example.
Re: Announcing CMSMS 1.9.4.3 - Important Security Release
The diff files are screwed. Only upload these files:
doc/CHANGELOG.txt
modules/news/action.editarticle.php
modules/news/changelog.inc
modules/news/News.module.php
version.php
doc/CHANGELOG.txt
modules/news/action.editarticle.php
modules/news/changelog.inc
modules/news/News.module.php
version.php