• twitter image
  • facebook image
  • youtube image
  • linkedin image
Language: CMS Made Simple Czech CMS Made Simple France CMS Made Simple Spain CMS Made Simple Hungary CMS Made Simple Russia CMS Made Simple Netherlands

All times are UTC




Post new topic Reply to topic  [ 23 posts ]  Go to page 1, 2  Next
Author Message
 Post subject: Announcing CMS Made Simple 1.6.7 – Teremba Bay
PostPosted: Wed Feb 24, 2010 1:12 pm 
Offline
Administrator
Administrator
User avatar

Joined: Fri Jun 11, 2004 6:58 pm
Posts: 3329
Location: Fairless Hills, Pa USA
(Forgot the forum post -- sorry)

This is a security release, with the bonus of having some feature and bug fixes as well. It’s recommended that you upgrade as soon as possible, since this flaw has been published and could possible be being exploited as we speak.

Thanks to Beenu Arora and 0×6a616d6573 for testing and pointing out the flaws.

Below is the full list of changes. Enjoy!

Version 1.6.7 – Teremba Bay
—————————–
- #3999 Upload a file with apostrophe make problem
- #4137 small text typo in admin/login.php
- #4192 Extra Page Attribute’s are listed in the wrong order
- #4208 Don’t show inactive template in the page 404
- #4431 UDT names not validated when being edited
- Improvements to XML module generation
- Fixes to prevent possible remote file inclusion vulnerabilities
- Minor improvements to the News module
- New version of TinyMCE
- Improvements to File Manager and Image Manager
- Improvements to Module Manager; upgrade now possible from the “Available Upgrades”-tab
- Adsense-plugin modified, to accept the ad_slot parameter

_________________
http://about.me/tedkulp


Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
 Post subject: Re: Announcing CMS Made Simple 1.6.7 – Teremba Bay
PostPosted: Wed Feb 24, 2010 1:15 pm 
Offline
Administrator
Administrator
User avatar

Joined: Fri Jun 11, 2004 6:58 pm
Posts: 3329
Location: Fairless Hills, Pa USA
I'm aware of the 4 extra files in cmsmadesimple-base-diff-1.6.6-1.6.7.tar.gz.  I'll cut another release of it today.  There is a bug in the diff script and those files showed up somehow from TinyMCE.  I'll make sure they're not there when I redo it.

_________________
http://about.me/tedkulp


Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
 Post subject: Re: Announcing CMS Made Simple 1.6.7 – Teremba Bay
PostPosted: Wed Feb 24, 2010 2:36 pm 
Great news, and cheers to you and ALL the developers who devote so much time & energy!

Quick question: I have some time to do upgrades this morning....do the four extra files break the upgrade to 1.6.7, or are they just harmless orphans?

Thanks again!


Top
   
 
Share On:
Share on Facebook Share on Twitter Share on Google+
 Post subject: Re: Announcing CMS Made Simple 1.6.7 – Teremba Bay
PostPosted: Wed Feb 24, 2010 2:45 pm 
Offline
Power Poster
Power Poster

Joined: Sat Feb 02, 2008 12:42 am
Posts: 424
Location: USA
I've upgraded a few sites and noticed that nothing loads under the 'Profiles' tab from TinyMCE.
Has this been intentionally removed?
(I tried a reset all settings)


BTW: Love the new Module Manager upgrade feature. Very helpful.
As always, great job guys!

_________________
Take a penny, leave a penny.


Last edited by Anonymous on Wed Feb 24, 2010 2:51 pm, edited 1 time in total.

Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
 Post subject: Re: Announcing CMS Made Simple 1.6.7 – Teremba Bay
PostPosted: Wed Feb 24, 2010 6:41 pm 
Offline
Forum Members
Forum Members
User avatar

Joined: Mon Jan 28, 2008 4:04 am
Posts: 34
@ziggywigged - I noticed the same thing.

Posted separately (http://forum.cmsmadesimple.org/index.ph ... #msg197682) but the solution there was to upload the /Modules/TinyMCE/ folder from the full 1.6.7 package. 

That worked for me!


Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
 Post subject: Re: Announcing CMS Made Simple 1.6.7 – Teremba Bay
PostPosted: Thu Feb 25, 2010 5:02 am 
Offline
Power Poster
Power Poster
User avatar

Joined: Fri Apr 18, 2008 9:34 pm
Posts: 355
Location: Nimbin, Australia
Hi there
this is what i did (and i think this is what i used to do in the past)
cd siteroot
tar -xzf cmsmadesimple-full-diff-1.6.6-1.6.7.tar.gz

this is what i get. (i downloaded 1.6.6 to 1.6.7 - full on 25.feb.2010 ~5am UTC)
tar: ./modules/TinyMCE/tinymce/jscripts/tiny_mce/plugins/safari: Cannot open: File exists
tar: Error exit delayed from previous errors

any idea/new update?
cheers
rotezecke


Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
 Post subject: Re: Announcing CMS Made Simple 1.6.7 – Teremba Bay
PostPosted: Thu Feb 25, 2010 11:08 am 
Offline
Dev Team Member
Dev Team Member
User avatar

Joined: Wed Apr 23, 2008 7:53 am
Posts: 7710
Location: The Netherlands
rotezecke \rotezecke:
Hi there
this is what i did (and i think this is what i used to do in the past)
cd siteroot
tar -xzf cmsmadesimple-full-diff-1.6.6-1.6.7.tar.gz

this is what i get. (i downloaded 1.6.6 to 1.6.7 - full on 25.feb.2010 ~5am UTC)
tar: ./modules/TinyMCE/tinymce/jscripts/tiny_mce/plugins/safari: Cannot open: File exists
tar: Error exit delayed from previous errors

any idea/new update?
cheers
rotezecke


Hello rotezecke, welcome here!

I looked into this.
Upgrading and skipping the error message you mentioned isn't a problem, everything still works fine afterwards.
It looks like at this point the folder 'safari' must be deleted (overwritten) and it won't for some reason...
This folder isn't there in the 1.6.7 package
I deleted the safari folder in question at my testsite and everything is still working like it should be.  ::)

Perhaps Ted can confirm that this folder must be (can be) deleted, or that just leaving it there isn't a problem either...

Regards, Rolf  :)

_________________
$1

Did my post help you solving a problem at your (customers) website and it saved you many hours of work? Great!! Consider buying me a cup of coffee in return!



Last edited by Rolf on Thu Feb 25, 2010 3:44 pm, edited 1 time in total.

Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
 Post subject: Re: Announcing CMS Made Simple 1.6.7 – Teremba Bay
PostPosted: Thu Feb 25, 2010 3:55 pm 
It would be really helpful if new releases, especially when security was is an issue, were always announced via email. I don't visit this site every day, or even every week.

Also, I'd like to echo the comment made on the blog about not appreciating new features being bundled with a security patch -- it adds additional work and testing.

That said, thanks for your hard work!


Top
   
 
Share On:
Share on Facebook Share on Twitter Share on Google+
 Post subject: Re: Announcing CMS Made Simple 1.6.7 – Teremba Bay
PostPosted: Thu Feb 25, 2010 4:03 pm 
Offline
Dev Team Member
Dev Team Member
User avatar

Joined: Wed Apr 23, 2008 7:53 am
Posts: 7710
Location: The Netherlands
Deak \Deak:
It would be really helpful if new releases, especially when security was is an issue, were always announced via email. I don't visit this site every day, or even every week.

Hello deak,

Somebody correct me if I'm wrong but I think a mail was send around with:
http://www.cmsmadesimple.org/support/mailing-lists/

And beside that you can use the 'Notify' option in the Announcements board to keep you up-to-date of new topics here...

Regards, Rolf  :)

_________________
$1

Did my post help you solving a problem at your (customers) website and it saved you many hours of work? Great!! Consider buying me a cup of coffee in return!



Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
 Post subject: Re: Announcing CMS Made Simple 1.6.7 – Teremba Bay
PostPosted: Thu Feb 25, 2010 4:14 pm 
Offline
Power Poster
Power Poster

Joined: Sat Feb 02, 2008 12:42 am
Posts: 424
Location: USA
@Deak - I disagree, I like new features. The upgrade feature added to the Module Manager will help save time in the long run.

@Rolf - I'm subscribed but did not receive an email.

BTW, one could also subscribe to the blog's RSS feed or even Twitter (that's how I was notify'd).

_________________
Take a penny, leave a penny.


Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
 Post subject: Re: Announcing CMS Made Simple 1.6.7 – Teremba Bay
PostPosted: Thu Feb 25, 2010 4:24 pm 
Offline
Dev Team Member
Dev Team Member
User avatar

Joined: Wed Apr 23, 2008 7:53 am
Posts: 7710
Location: The Netherlands
Ziggywigged \Ziggywigged:
@Rolf - I'm subscribed but did not receive an email.

Hmm, strange...  :-\
I checked my mailbox and I really got an announcement there...
See attached image

®


Attachments:
01.jpg
01.jpg [ 51.4 KiB | Viewed 6929 times ]

_________________
$1

Did my post help you solving a problem at your (customers) website and it saved you many hours of work? Great!! Consider buying me a cup of coffee in return!

Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
 Post subject: Re: Announcing CMS Made Simple 1.6.7 – Teremba Bay
PostPosted: Thu Feb 25, 2010 5:07 pm 
@Rolf - I have received previous update emails, but not the latest one. Strange! I've added my email address to the list again and didn't receive any "you're already subscribed" message (not even sure one would generated). Having signed up again I also did not receive a double-opt in confirmation (tut-tut, CAN-SPAM and all that).

If the CMS Made Simple team would like a free account with a professional email marketing system, drop me a message. It's what I do for a living. No offence to Newsletter Made Simple, but it'll do your server and your email list more harm than good.


Top
   
 
Share On:
Share on Facebook Share on Twitter Share on Google+
 Post subject: Re: Announcing CMS Made Simple 1.6.7 – Teremba Bay
PostPosted: Thu Feb 25, 2010 5:42 pm 
Offline
New Member
New Member

Joined: Wed Mar 26, 2008 6:46 am
Posts: 2
Hi,

I would also appreciate a stable release version, that would be easier to provide security support for. While cmsms is a nice little system, parts of the code is rather messy, and I have frequently seen things break on upgrades and minor reconfiguration -- quite possibly due improperly written extensions.

Whatever the cause, reducing the number of changes, tends to help reduce risk.

Is there any documentation of the bug anywhere, so that I can evaluate the current risk -- and possibly work out a smaller patch?

BTW, I did recieve the email-announcement, so at least that part works for me.


Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
 Post subject: Re: Announcing CMS Made Simple 1.6.7 – Teremba Bay
PostPosted: Thu Feb 25, 2010 6:27 pm 
Offline
Power Poster
Power Poster
User avatar

Joined: Fri Feb 02, 2007 4:31 pm
Posts: 2385
Location: Comox Valley, BC
@Ted

Any idea when the corrected diff file will be released?

Thanks,
Nullig


Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
 Post subject: Re: Announcing CMS Made Simple 1.6.7 – Teremba Bay
PostPosted: Thu Feb 25, 2010 6:39 pm 
Offline
New Member
New Member

Joined: Thu Feb 25, 2010 6:24 pm
Posts: 2
eirik \eirik:
I would also appreciate a stable release version, that would be easier to provide security support for. While cmsms is a nice little system, parts of the code is rather messy, and I have frequently seen things break on upgrades and minor reconfiguration -- quite possibly due improperly written extensions.

Whatever the cause, reducing the number of changes, tends to help reduce risk.


That's what I said, too. However, I said it in the comments on http://blog.cmsmadesimple.org/2010/02/23/announcing-cms-made-simple-1-6-7-teremba-bay/comment-page-1/#comment-4137. Why there are two separate comment threads in the blog and the forums beats me, but that is another story...

eirik \eirik:
Is there any documentation of the bug anywhere, so that I can evaluate the current risk -- and possibly work out a smaller patch?


The bug is documented at http://0x6a616d6573.blogspot.com/2010/02/cms-made-simple-166-file-inclusion.html. They forgot to link to it from the blog post, but the URL is mentioned in the source code.

I diffed the two releases manually and determined that the security fix seems to be in lib/classes/class.module.inc.php only (and there are no other changes to that file). All the remaining changes seem non-critical, so I simply replaced that file with the new version to be safe before deploying the rest of the new release. It has been running on a relatively busy site for about 34 hours, so at least it didn't break anything.

Good luck!

--
Knut Auvor Grythe


Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 23 posts ]  Go to page 1, 2  Next

All times are UTC


Who is online

Users browsing this forum: No registered users


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
A2 Hosting