Announcing CMSMS 1.9.4.3 - Important Security Release

Project Announcements. This is read-only, as in... not for problems/bugs/feature request.
calguy1000
Support Guru
Support Guru
Posts: 8169
Joined: Tue Oct 19, 2004 6:44 pm
Location: Fernie British Columbia, Canada

Announcing CMSMS 1.9.4.3 - Important Security Release

Post by calguy1000 »

Today we have released CMSMS 1.9.4.3, a minor release that fixes a single security issue in the news module. Essentially, a malicious person could via accessing a sincle URL corrupt your news articles.

This issue has been around for a long time, and only recently came to light. We recommend that everybody upgrade their CMSMS installs as soon as possible.

There is no database schema change in this version, therefore we have provided 'patch' versions to make this easier for those that are running a recent version of CMSMS. You should be able to download the appropriate 'diff' package, and upload it directly to your site(s).

Thank you for your time and consideration.

We would like to thank the people that reported this issue in a professional and mature manner.
Follow me on twitter
Please post system information from "Extensions >> System Information" (there is a bbcode option) on all posts asking for assistance.
--------------------
If you can't bother explaining your problem well, you shouldn't expect much in the way of assistance.
calguy1000
Support Guru
Support Guru
Posts: 8169
Joined: Tue Oct 19, 2004 6:44 pm
Location: Fernie British Columbia, Canada

Re: Announcing CMSMS 1.9.4.3 - Important Security Release

Post by calguy1000 »

Yeah the forge is down... please stand by.
Follow me on twitter
Please post system information from "Extensions >> System Information" (there is a bbcode option) on all posts asking for assistance.
--------------------
If you can't bother explaining your problem well, you shouldn't expect much in the way of assistance.
calguy1000
Support Guru
Support Guru
Posts: 8169
Joined: Tue Oct 19, 2004 6:44 pm
Location: Fernie British Columbia, Canada

Re: Announcing CMSMS 1.9.4.3 - Important Security Release

Post by calguy1000 »

it's back... thanks for your patience.
Follow me on twitter
Please post system information from "Extensions >> System Information" (there is a bbcode option) on all posts asking for assistance.
--------------------
If you can't bother explaining your problem well, you shouldn't expect much in the way of assistance.
tractorboy
Forum Members
Forum Members
Posts: 21
Joined: Thu Mar 23, 2006 11:06 am

Re: Announcing CMSMS 1.9.4.3 - Important Security Release

Post by tractorboy »

I got the cmsmsmadesimple-english-diff1.9.4.2-1.9.4.3 and tested on my local install. The tiny MCE updates change the text on the drop-downs to “advanced.style”, “advanced.paragraph” etc. instead of "Styles", "Format" etc. I re-copied modules/TinyMCE from the 1.9.4.2 release but this didn't fix the problem.
Are the TinyMCE files required for the security upgrade ?

Steve
nockenfell
Power Poster
Power Poster
Posts: 751
Joined: Fri Sep 12, 2008 2:34 pm
Location: Schweiz / Switzerland

Re: Announcing CMSMS 1.9.4.3 - Important Security Release

Post by nockenfell »

Please update tinymce to 2.9.1 in this release. when i don't use the diff, there are problems when i overwrite 2.9.1 with this release.
calguy1000
Support Guru
Support Guru
Posts: 8169
Joined: Tue Oct 19, 2004 6:44 pm
Location: Fernie British Columbia, Canada

Re: Announcing CMSMS 1.9.4.3 - Important Security Release

Post by calguy1000 »

Thank you for your deteiled message. Were you running a stock version of CMSMS 1.9.4.2 ? or had you customized TinyMCE.

tractorboy wrote:I got the cmsmsmadesimple-english-diff1.9.4.2-1.9.4.3 and tested on my local install. The tiny MCE updates change the text on the drop-downs to “advanced.style”, “advanced.paragraph” etc. instead of "Styles", "Format" etc. I re-copied modules/TinyMCE from the 1.9.4.2 release but this didn't fix the problem.
Are the TinyMCE files required for the security upgrade ?

Steve
Follow me on twitter
Please post system information from "Extensions >> System Information" (there is a bbcode option) on all posts asking for assistance.
--------------------
If you can't bother explaining your problem well, you shouldn't expect much in the way of assistance.
dmgd
Forum Members
Forum Members
Posts: 115
Joined: Tue Jun 06, 2006 1:10 pm
Location: TX

Re: Announcing CMSMS 1.9.4.3 - Important Security Release

Post by dmgd »

Same for me. And I have a stock install. All tab text has changed to a smarty tags. Add image also.
Image
kmesd62
Forum Members
Forum Members
Posts: 30
Joined: Sat Aug 06, 2011 3:17 pm

Re: Announcing CMSMS 1.9.4.3 - Important Security Release

Post by kmesd62 »

I am in the same situation as dmgd and tractorboy...

Upgraded from tinymce 2.8.4 to 2.9.1 (overwriting old folder with new) followed by upgrade of CMSMS from 1.9.4.2 to 1.9.4.3 by unzipping the diff file.

As well as smarty/dropdown problems, other things i noticed re style dropdown: when you make a selection the correct class is applied to the tag in the content, but tiny is no longer seeing the content stylesheet. (Style attributes specified for tinymce's own body tag still work).
jospanner
Forum Members
Forum Members
Posts: 105
Joined: Tue Mar 25, 2008 11:34 pm

Re: Announcing CMSMS 1.9.4.3 - Important Security Release

Post by jospanner »

I was going to upgrade a number of sites using this release but I'm now nervous and hanging fire. Please advise.
Jip
New Member
New Member
Posts: 2
Joined: Tue Aug 30, 2011 1:50 pm

Re: Announcing CMSMS 1.9.4.3 - Important Security Release

Post by Jip »

It is because all TinyMCE files seem to be 0 bytes in the diff package
waterman
Forum Members
Forum Members
Posts: 64
Joined: Tue Feb 05, 2008 8:47 pm
Location: Zeist, The Netherlands

Re: Announcing CMSMS 1.9.4.3 - Important Security Release

Post by waterman »

jospanner wrote:I was going to upgrade a number of sites using this release but I'm now nervous and hanging fire. Please advise.

upgraded several sites using the full diff file. One one of them I received this error for a short while after the upgrade:
Attempt to use ADODB from outside of CMS"
After clearing cache and buffers the error was gone. No clue what has caused the temporary error message.

Upgrade of TimyMCE was more of a problem. Download from the modulemanager isn't working in none of my CMS sites. Either a bad checksum after download, of the download isn't available. Manual download from Sourceforge and upload to the modules folder is neccesary.

Hope this helps to make you less nervous.

greetings

Marc
jospanner
Forum Members
Forum Members
Posts: 105
Joined: Tue Mar 25, 2008 11:34 pm

Re: Announcing CMSMS 1.9.4.3 - Important Security Release

Post by jospanner »

I tried uploading via XML but have the issue that the filepicker is not visible once I run the latest version of TINYMCE. It seems to be the 2.9.1 version doesn't work with 1.9.4.3? I agree the Module Manager doesn't work.

It has German text in the Module Manager too.

So I have upgraded using the full files to 1.9.4.3 but left the TINYMCE as version 2.8.4.

Any way around it to be able to upgrade to the latest TINYMCE would be good.

Thanks all.

PS - Just spotted this is an issue already reported http://dev.cmsmadesimple.org/bug/view/6666

When will it be fixed?
Last edited by jospanner on Wed Aug 31, 2011 8:50 am, edited 1 time in total.
tractorboy
Forum Members
Forum Members
Posts: 21
Joined: Thu Mar 23, 2006 11:06 am

Re: Announcing CMSMS 1.9.4.3 - Important Security Release

Post by tractorboy »

It's the stock version of TinyMCE. The Modules sceen gives the version as 2.8.4
calguy1000 wrote:Thank you for your deteiled message. Were you running a stock version of CMSMS 1.9.4.2 ? or had you customized TinyMCE.

tractorboy wrote:I got the cmsmsmadesimple-english-diff1.9.4.2-1.9.4.3 and tested on my local install. The tiny MCE updates change the text on the drop-downs to “advanced.style”, “advanced.paragraph” etc. instead of "Styles", "Format" etc. I re-copied modules/TinyMCE from the 1.9.4.2 release but this didn't fix the problem.
Are the TinyMCE files required for the security upgrade ?

Steve
jospanner
Forum Members
Forum Members
Posts: 105
Joined: Tue Mar 25, 2008 11:34 pm

Re: Announcing CMSMS 1.9.4.3 - Important Security Release

Post by jospanner »

I have the same issue. Was running 2.8.4. If I upgrade to 2.9.1 (Module Manager doesn't work) have to do it via XML then TINYMCE has issues. Doesn't show filepicker when trying to add an image for example.
cb2004
Power Poster
Power Poster
Posts: 317
Joined: Wed Jul 04, 2007 3:39 pm

Re: Announcing CMSMS 1.9.4.3 - Important Security Release

Post by cb2004 »

The diff files are screwed. Only upload these files:

doc/CHANGELOG.txt

modules/news/action.editarticle.php
modules/news/changelog.inc
modules/news/News.module.php

version.php
Post Reply

Return to “Announcements”