[Moin-user] *** upcoming 1.6.3 release / major security fix for 1.6.x users ***
Zoom.Quiet
zoom.quiet at gmail.com
Sun Apr 20 19:58:33 EDT 2008
On Mon, Apr 21, 2008 at 3:06 AM, Thomas Waldmann <tw-public at gmx.de> wrote:
> Hi,
>
Hoohoooo! quick upgrade! great wiki engine!
just in time flowing u!
> I just wanted to announce that we are currently in final testing of the
> 1.6.3 release - after having worked over the weekend to fix some
> critical security issues.
>
> If you use a previous 1.6 release, especially if you are using ACLs
> (other than for Known: and All:) or if you have a non-empty superuser
> list, please follow this advice:
>
> a) clear your superuser list immediately NOW (e.g. in wikiconfig):
>
> superuser = []
>
> Note: for farm-like setups with config inheritance it might be not
> enough to comment it out - it could be set to a non-empty list in a
> config your inherit from, so better assign the empty list.
>
> b) if you have very sensitive content in your wiki (e.g. secret stuff
> that must not be read by the unauthorized people or stuff were write
> access is very critical, even if logged), it is suggested that you
> either take away the critical access or shut the wiki down until you
> have installed the fix.
>
> E.g. if write access is critical, but reading is allowed for everybody:
>
> acl_rights_before = u"All:read" # everybody can read everything,
> # but noone can write
>
> c) You have to restart your web server after making those changes.
>
> d) Watch those pages (if you have an account on the moinmo.in wiki, you
> can subscribe to the pages and you will be notified by email when they
> are changed):
>
> http://moinmo.in/ <-- used for release announcements
>
> http://moinmo.in/SecurityFixes <-- for security fix news
>
> e) Download and upgrade to 1.6.3 as soon as it is available. After
> installing the 1.6.3 code and restarting your web server (see SystemInfo
> page), you can restore your previous acl_rights_* setup and also your
> superuser list.
>
> moin 1.5.x is (as far as we know) not affected by this bug, but if you
> are still running 1.5.x you should also consider upgrading as 1.5.9 was
> the last 1.5.x release and there won't be any updates/fixes for 1.5 any
> more.
>
> We are really sorry about this (the code change [it was a fix for
> another bug] that caused this looked really harmless, but while fixing
> that other bug, it poked a even bigger hole into security in a quite
> unexpected way).
>
> Thomas
>
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
> Don't miss this year's exciting event. There's still time to save $100.
> Use priority code J8TL2D2.
> http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
> _______________________________________________
> Moin-user mailing list
> Moin-user at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/moin-user
>
--
'''过程改进乃是开始催生可促生靠谱的人的组织!
PI keeps evolving organizations which promoting people be good!
'''http://zoomquiet.org
Pls. usage OOo to replace M$ Office. http://zh.openoffice.org
Pls. usage 7-zip to replace WinRAR/WinZip. http://7-zip.org
You can get the truely Freedom 4 software.
More information about the Moin-user
mailing list