Re: Announcing CMS Made Simple 1.6.7 – Teremba Bay
Posted: Thu Feb 25, 2010 7:54 pm
Replied here, as this seemed more active -- and more suitable for discussion. Thought it'd be a good idea to let other's know that we're more people that feel the need for a stable release.knuta wrote:That's what I said, too. However, I said it in the comments on http://blog.cmsmadesimple.org/2010/02/23/announcing-cms-made-simple-1-6-7-teremba-bay/comment-page-1/#comment-4137. Why there are two separate comment threads in the blog and the forums beats me, but that is another story...eirik wrote: Whatever the cause, reducing the number of changes, tends to help reduce risk.
Thanks for the link. I was a bit surprised to see the reference to bugtraq -- but I generally read it in bulk, a few times a month, so I hadn't seen the post yet.knuta wrote:The bug is documented at http://0x6a616d6573.blogspot.com/2010/02/cms-made-simple-166-file-inclusion.html. They forgot to link to it from the blog post, but the URL is mentioned in the source code.eirik wrote: Is there any documentation of the bug anywhere, so that I can evaluate the current risk -- and possibly work out a smaller patch?
Thank you for reposting the above information, and details regarding the fix. The original announcement was a bit light on detail.knuta wrote: I diffed the two releases manually and determined that the security fix seems to be in lib/classes/class.module.inc.php only (and there are no other changes to that file). All the remaining changes seem non-critical, so I simply replaced that file with the new version to be safe before deploying the rest of the new release. It has been running on a relatively busy site for about 34 hours, so at least it didn't break anything.
It appears this is less serious on Linux. Can anyone confirm that ?