Page 2 of 2

Re: Announcing CMS Made Simple 1.6.7 – Teremba Bay

Posted: Thu Feb 25, 2010 7:54 pm
by eirik
knuta wrote:
eirik wrote: Whatever the cause, reducing the number of changes, tends to help reduce risk.
That's what I said, too. However, I said it in the comments on http://blog.cmsmadesimple.org/2010/02/23/announcing-cms-made-simple-1-6-7-teremba-bay/comment-page-1/#comment-4137. Why there are two separate comment threads in the blog and the forums beats me, but that is another story...
Replied here, as this seemed more active -- and more suitable for discussion. Thought it'd be a good idea to let other's know that we're more people that feel the need for a stable release.
knuta wrote:
eirik wrote: Is there any documentation of the bug anywhere, so that I can evaluate the current risk -- and possibly work out a smaller patch?
The bug is documented at http://0x6a616d6573.blogspot.com/2010/02/cms-made-simple-166-file-inclusion.html. They forgot to link to it from the blog post, but the URL is mentioned in the source code.
Thanks for the link. I was a bit surprised to see the reference to bugtraq -- but I generally read it in bulk, a few times a month, so I hadn't seen the post yet.
knuta wrote: I diffed the two releases manually and determined that the security fix seems to be in lib/classes/class.module.inc.php only (and there are no other changes to that file). All the remaining changes seem non-critical, so I simply replaced that file with the new version to be safe before deploying the rest of the new release. It has been running on a relatively busy site for about 34 hours, so at least it didn't break anything.
Thank you for reposting the above information, and details regarding the fix. The original announcement was a bit light on detail.

It appears this is less serious on Linux. Can anyone confirm that ?

Re: Announcing CMS Made Simple 1.6.7 – Teremba Bay

Posted: Sun Feb 28, 2010 5:06 am
by rotezecke
Rolf wrote:
Upgrading and skipping the error message you mentioned isn't a problem, everything still works fine afterwards.
It looks like at this point the folder 'safari' must be deleted (overwritten) and it won't for some reason...
This folder isn't there in the 1.6.7 package
I deleted the safari folder in question at my testsite and everything is still working like it should be.  ::)

Regards, Rolf  :)
It appears that the 1.6.6 - 1.6.7 tries to write an empty file named safari into a place where there's a directory named safari.
i moved the directory safari, tar -xzf 'cms...' and realised that the newly written safari is empty. so i deleted the empty file, and moved safari directory back in its place.

i dont know whether the folder safari should be emptied or not.

cheers

Re: Announcing CMS Made Simple 1.6.7 – Teremba Bay

Posted: Sun Feb 28, 2010 11:14 am
by Rolf
Rotezecke,

The folder 'safari' isn't present when installing a brand new base 1.6.7 version...

Grtz. Rolf

Re: Announcing CMS Made Simple 1.6.7 – Teremba Bay

Posted: Sun Feb 28, 2010 1:25 pm
by Cherry
just a question.....
will there be a corrected version of the base-diff file?

I think it was promised days ago.

Yours
Cherry

Re: Announcing CMS Made Simple 1.6.7 – Teremba Bay

Posted: Sun Feb 28, 2010 2:04 pm
by Ted
New diff files are uploaded. Sorry for the delay.

Re: Announcing CMS Made Simple 1.6.7 – Teremba Bay

Posted: Wed Mar 03, 2010 3:04 pm
by jovo
Great.

1.6.7 also solved a problem with IE8 and compatibility mode.

I recently created a new website with 1.6.7 based on the standard NCleanBlue-template with some adjustments. Very nice template!
Also the integrated News-module works fine.

Thanks a lot!

Re: Announcing CMS Made Simple 1.6.7 – Teremba Bay

Posted: Thu Mar 04, 2010 3:31 am
by stainless
Ziggywigged wrote: I've upgraded a few sites and noticed that nothing loads under the 'Profiles' tab from TinyMCE.
Has this been intentionally removed?
(I tried a reset all settings)
It's true, no profiles after upgrade. !?

Re: Announcing CMS Made Simple 1.6.7 – Teremba Bay

Posted: Thu Mar 04, 2010 7:30 am
by Cherry
It seems that these two files are missing in the base-diff file:

Code: Select all

modules/TinyMCE/function.admin_profiles.php
modules/TinyMCE/templates/profilespanel.tpl
They can be found in the full-diff file.


Yours Cherry