Announcing CMS Made Simple 1.6.7 – Teremba Bay

Project Announcements. This is read-only, as in... not for problems/bugs/feature request.
Ted
Power Poster
Power Poster
Posts: 3329
Joined: Fri Jun 11, 2004 6:58 pm
Location: Fairless Hills, Pa USA

Announcing CMS Made Simple 1.6.7 – Teremba Bay

Post by Ted »

(Forgot the forum post -- sorry)

This is a security release, with the bonus of having some feature and bug fixes as well. It’s recommended that you upgrade as soon as possible, since this flaw has been published and could possible be being exploited as we speak.

Thanks to Beenu Arora and 0×6a616d6573 for testing and pointing out the flaws.

Below is the full list of changes. Enjoy!

Version 1.6.7 – Teremba Bay
—————————–
- #3999 Upload a file with apostrophe make problem
- #4137 small text typo in admin/login.php
- #4192 Extra Page Attribute’s are listed in the wrong order
- #4208 Don’t show inactive template in the page 404
- #4431 UDT names not validated when being edited
- Improvements to XML module generation
- Fixes to prevent possible remote file inclusion vulnerabilities
- Minor improvements to the News module
- New version of TinyMCE
- Improvements to File Manager and Image Manager
- Improvements to Module Manager; upgrade now possible from the “Available Upgrades”-tab
- Adsense-plugin modified, to accept the ad_slot parameter
Ted
Power Poster
Power Poster
Posts: 3329
Joined: Fri Jun 11, 2004 6:58 pm
Location: Fairless Hills, Pa USA

Re: Announcing CMS Made Simple 1.6.7 – Teremba Bay

Post by Ted »

I'm aware of the 4 extra files in cmsmadesimple-base-diff-1.6.6-1.6.7.tar.gz.  I'll cut another release of it today.  There is a bug in the diff script and those files showed up somehow from TinyMCE.  I'll make sure they're not there when I redo it.
monghidi

Re: Announcing CMS Made Simple 1.6.7 – Teremba Bay

Post by monghidi »

Great news, and cheers to you and ALL the developers who devote so much time & energy!

Quick question: I have some time to do upgrades this morning....do the four extra files break the upgrade to 1.6.7, or are they just harmless orphans?

Thanks again!
Ziggywigged
Power Poster
Power Poster
Posts: 424
Joined: Sat Feb 02, 2008 12:42 am
Location: USA

Re: Announcing CMS Made Simple 1.6.7 – Teremba Bay

Post by Ziggywigged »

I've upgraded a few sites and noticed that nothing loads under the 'Profiles' tab from TinyMCE.
Has this been intentionally removed?
(I tried a reset all settings)


BTW: Love the new Module Manager upgrade feature. Very helpful.
As always, great job guys!
Last edited by Anonymous on Wed Feb 24, 2010 2:51 pm, edited 1 time in total.
Take a penny, leave a penny.
baldguy
Forum Members
Forum Members
Posts: 34
Joined: Mon Jan 28, 2008 4:04 am

Re: Announcing CMS Made Simple 1.6.7 – Teremba Bay

Post by baldguy »

@ziggywigged - I noticed the same thing.

Posted separately (http://forum.cmsmadesimple.org/index.ph ... #msg197682) but the solution there was to upload the /Modules/TinyMCE/ folder from the full 1.6.7 package. 

That worked for me!
User avatar
rotezecke
Power Poster
Power Poster
Posts: 411
Joined: Fri Apr 18, 2008 9:34 pm
Location: Nimbin, Australia

Re: Announcing CMS Made Simple 1.6.7 – Teremba Bay

Post by rotezecke »

Hi there
this is what i did (and i think this is what i used to do in the past)
cd siteroot
tar -xzf cmsmadesimple-full-diff-1.6.6-1.6.7.tar.gz

this is what i get. (i downloaded 1.6.6 to 1.6.7 - full on 25.feb.2010 ~5am UTC)
tar: ./modules/TinyMCE/tinymce/jscripts/tiny_mce/plugins/safari: Cannot open: File exists
tar: Error exit delayed from previous errors

any idea/new update?
cheers
rotezecke
User avatar
Rolf
Dev Team Member
Dev Team Member
Posts: 7825
Joined: Wed Apr 23, 2008 7:53 am
Location: The Netherlands
Contact:

Re: Announcing CMS Made Simple 1.6.7 – Teremba Bay

Post by Rolf »

rotezecke wrote: Hi there
this is what i did (and i think this is what i used to do in the past)
cd siteroot
tar -xzf cmsmadesimple-full-diff-1.6.6-1.6.7.tar.gz

this is what i get. (i downloaded 1.6.6 to 1.6.7 - full on 25.feb.2010 ~5am UTC)
tar: ./modules/TinyMCE/tinymce/jscripts/tiny_mce/plugins/safari: Cannot open: File exists
tar: Error exit delayed from previous errors

any idea/new update?
cheers
rotezecke
Hello rotezecke, welcome here!

I looked into this.
Upgrading and skipping the error message you mentioned isn't a problem, everything still works fine afterwards.
It looks like at this point the folder 'safari' must be deleted (overwritten) and it won't for some reason...
This folder isn't there in the 1.6.7 package
I deleted the safari folder in question at my testsite and everything is still working like it should be.  ::)

Perhaps Ted can confirm that this folder must be (can be) deleted, or that just leaving it there isn't a problem either...

Regards, Rolf  :)
Last edited by Rolf on Thu Feb 25, 2010 3:44 pm, edited 1 time in total.
- + - + - + - + - + - + -
LATEST TUTORIAL AT CMS CAN BE SIMPLE:
Migrating Company Directory module to LISE
- + - + - + - + - + - + -
Image
Deak

Re: Announcing CMS Made Simple 1.6.7 – Teremba Bay

Post by Deak »

It would be really helpful if new releases, especially when security was is an issue, were always announced via email. I don't visit this site every day, or even every week.

Also, I'd like to echo the comment made on the blog about not appreciating new features being bundled with a security patch -- it adds additional work and testing.

That said, thanks for your hard work!
User avatar
Rolf
Dev Team Member
Dev Team Member
Posts: 7825
Joined: Wed Apr 23, 2008 7:53 am
Location: The Netherlands
Contact:

Re: Announcing CMS Made Simple 1.6.7 – Teremba Bay

Post by Rolf »

Deak wrote: It would be really helpful if new releases, especially when security was is an issue, were always announced via email. I don't visit this site every day, or even every week.
Hello deak,

Somebody correct me if I'm wrong but I think a mail was send around with:
http://www.cmsmadesimple.org/support/mailing-lists/

And beside that you can use the 'Notify' option in the Announcements board to keep you up-to-date of new topics here...

Regards, Rolf  :)
- + - + - + - + - + - + -
LATEST TUTORIAL AT CMS CAN BE SIMPLE:
Migrating Company Directory module to LISE
- + - + - + - + - + - + -
Image
Ziggywigged
Power Poster
Power Poster
Posts: 424
Joined: Sat Feb 02, 2008 12:42 am
Location: USA

Re: Announcing CMS Made Simple 1.6.7 – Teremba Bay

Post by Ziggywigged »

@Deak - I disagree, I like new features. The upgrade feature added to the Module Manager will help save time in the long run.

@Rolf - I'm subscribed but did not receive an email.

BTW, one could also subscribe to the blog's RSS feed or even Twitter (that's how I was notify'd).
Take a penny, leave a penny.
User avatar
Rolf
Dev Team Member
Dev Team Member
Posts: 7825
Joined: Wed Apr 23, 2008 7:53 am
Location: The Netherlands
Contact:

Re: Announcing CMS Made Simple 1.6.7 – Teremba Bay

Post by Rolf »

Ziggywigged wrote: @Rolf - I'm subscribed but did not receive an email.
Hmm, strange...  :-\
I checked my mailbox and I really got an announcement there...
See attached image

®
- + - + - + - + - + - + -
LATEST TUTORIAL AT CMS CAN BE SIMPLE:
Migrating Company Directory module to LISE
- + - + - + - + - + - + -
Image
Deak

Re: Announcing CMS Made Simple 1.6.7 – Teremba Bay

Post by Deak »

@Rolf - I have received previous update emails, but not the latest one. Strange! I've added my email address to the list again and didn't receive any "you're already subscribed" message (not even sure one would generated). Having signed up again I also did not receive a double-opt in confirmation (tut-tut, CAN-SPAM and all that).

If the CMS Made Simple team would like a free account with a professional email marketing system, drop me a message. It's what I do for a living. No offence to Newsletter Made Simple, but it'll do your server and your email list more harm than good.
eirik
New Member
New Member
Posts: 2
Joined: Wed Mar 26, 2008 6:46 am

Re: Announcing CMS Made Simple 1.6.7 – Teremba Bay

Post by eirik »

Hi,

I would also appreciate a stable release version, that would be easier to provide security support for. While cmsms is a nice little system, parts of the code is rather messy, and I have frequently seen things break on upgrades and minor reconfiguration -- quite possibly due improperly written extensions.

Whatever the cause, reducing the number of changes, tends to help reduce risk.

Is there any documentation of the bug anywhere, so that I can evaluate the current risk -- and possibly work out a smaller patch?

BTW, I did recieve the email-announcement, so at least that part works for me.
User avatar
Nullig
Power Poster
Power Poster
Posts: 2380
Joined: Fri Feb 02, 2007 4:31 pm
Location: Comox Valley, BC

Re: Announcing CMS Made Simple 1.6.7 – Teremba Bay

Post by Nullig »

@Ted

Any idea when the corrected diff file will be released?

Thanks,
Nullig
knuta
New Member
New Member
Posts: 2
Joined: Thu Feb 25, 2010 6:24 pm

Re: Announcing CMS Made Simple 1.6.7 – Teremba Bay

Post by knuta »

eirik wrote: I would also appreciate a stable release version, that would be easier to provide security support for. While cmsms is a nice little system, parts of the code is rather messy, and I have frequently seen things break on upgrades and minor reconfiguration -- quite possibly due improperly written extensions.

Whatever the cause, reducing the number of changes, tends to help reduce risk.
That's what I said, too. However, I said it in the comments on http://blog.cmsmadesimple.org/2010/02/23/announcing-cms-made-simple-1-6-7-teremba-bay/comment-page-1/#comment-4137. Why there are two separate comment threads in the blog and the forums beats me, but that is another story...
eirik wrote: Is there any documentation of the bug anywhere, so that I can evaluate the current risk -- and possibly work out a smaller patch?
The bug is documented at http://0x6a616d6573.blogspot.com/2010/02/cms-made-simple-166-file-inclusion.html. They forgot to link to it from the blog post, but the URL is mentioned in the source code.

I diffed the two releases manually and determined that the security fix seems to be in lib/classes/class.module.inc.php only (and there are no other changes to that file). All the remaining changes seem non-critical, so I simply replaced that file with the new version to be safe before deploying the rest of the new release. It has been running on a relatively busy site for about 34 hours, so at least it didn't break anything.

Good luck!

--
Knut Auvor Grythe
Post Reply

Return to “Announcements”