CMS Made Simple Forums

Today we have released CMSMS 1.9.4.3, a minor release that fixes a single security issue in the news module. Essentially, a malicious person could via accessing a sincle URL corrupt your news articles.

This issue has been around for a long time, and only recently came to light. We recommend that everybody upgrade their CMSMS installs as soon as possible.

There is no database schema change in this version, therefore we have provided 'patch' versions to make this easier for those that are running a recent version of CMSMS. You should be able to download the appropriate 'diff' package, and upload it directly to your site(s).

Thank you for your time and consideration.

We would like to thank the people that reported this issue in a professional and mature manner.

Yeah the forge is down... please stand by.

it's back... thanks for your patience.

I got the cmsmsmadesimple-english-diff1.9.4.2-1.9.4.3 and tested on my local install. The tiny MCE updates change the text on the drop-downs to “advanced.style”, “advanced.paragraph” etc. instead of "Styles", "Format" etc. I re-copied modules/TinyMCE from the 1.9.4.2 release but this didn't fix the problem.
Are the TinyMCE files required for the security upgrade ?

Steve

Please update tinymce to 2.9.1 in this release. when i don't use the diff, there are problems when i overwrite 2.9.1 with this release.

Thank you for your deteiled message. Were you running a stock version of CMSMS 1.9.4.2 ? or had you customized TinyMCE.

tractorboy wrote:I got the cmsmsmadesimple-english-diff1.9.4.2-1.9.4.3 and tested on my local install. The tiny MCE updates change the text on the drop-downs to “advanced.style”, “advanced.paragraph” etc. instead of "Styles", "Format" etc. I re-copied modules/TinyMCE from the 1.9.4.2 release but this didn't fix the problem.
Are the TinyMCE files required for the security upgrade ?

Steve

Same for me. And I have a stock install. All tab text has changed to a smarty tags. Add image also.

I am in the same situation as dmgd and tractorboy...

Upgraded from tinymce 2.8.4 to 2.9.1 (overwriting old folder with new) followed by upgrade of CMSMS from 1.9.4.2 to 1.9.4.3 by unzipping the diff file.

As well as smarty/dropdown problems, other things i noticed re style dropdown: when you make a selection the correct class is applied to the tag in the content, but tiny is no longer seeing the content stylesheet. (Style attributes specified for tinymce's own body tag still work).

I was going to upgrade a number of sites using this release but I'm now nervous and hanging fire. Please advise.

It is because all TinyMCE files seem to be 0 bytes in the diff package

jospanner wrote:I was going to upgrade a number of sites using this release but I'm now nervous and hanging fire. Please advise.

upgraded several sites using the full diff file. One one of them I received this error for a short while after the upgrade:
Attempt to use ADODB from outside of CMS"
After clearing cache and buffers the error was gone. No clue what has caused the temporary error message.

Upgrade of TimyMCE was more of a problem. Download from the modulemanager isn't working in none of my CMS sites. Either a bad checksum after download, of the download isn't available. Manual download from Sourceforge and upload to the modules folder is neccesary.

Hope this helps to make you less nervous.

greetings

Marc

I tried uploading via XML but have the issue that the filepicker is not visible once I run the latest version of TINYMCE. It seems to be the 2.9.1 version doesn't work with 1.9.4.3? I agree the Module Manager doesn't work.

It has German text in the Module Manager too.

So I have upgraded using the full files to 1.9.4.3 but left the TINYMCE as version 2.8.4.

Any way around it to be able to upgrade to the latest TINYMCE would be good.

Thanks all.

PS - Just spotted this is an issue already reported http://dev.cmsmadesimple.org/bug/view/6666

When will it be fixed?

It's the stock version of TinyMCE. The Modules sceen gives the version as 2.8.4

calguy1000 wrote:Thank you for your deteiled message. Were you running a stock version of CMSMS 1.9.4.2 ? or had you customized TinyMCE.

tractorboy wrote:I got the cmsmsmadesimple-english-diff1.9.4.2-1.9.4.3 and tested on my local install. The tiny MCE updates change the text on the drop-downs to “advanced.style”, “advanced.paragraph” etc. instead of "Styles", "Format" etc. I re-copied modules/TinyMCE from the 1.9.4.2 release but this didn't fix the problem.
Are the TinyMCE files required for the security upgrade ?

Steve

I have the same issue. Was running 2.8.4. If I upgrade to 2.9.1 (Module Manager doesn't work) have to do it via XML then TINYMCE has issues. Doesn't show filepicker when trying to add an image for example.

The diff files are screwed. Only upload these files:

doc/CHANGELOG.txt

modules/news/action.editarticle.php
modules/news/changelog.inc
modules/news/News.module.php

version.php