[Moin-user] *** upcoming 1.6.3 release / major security fix for 1.6.x users ***

[Zoom.Quiet]

On Mon, Apr 21, 2008 at 3:06 AM, Thomas Waldmann <tw-public at gmx.de> wrote:
> Hi,
>
Hoohoooo! quick upgrade! great wiki engine!
just in time flowing u!
>  I just wanted to announce that we are currently in final testing of the
>  1.6.3 release - after having worked over the weekend to fix some
>  critical security issues.
>
>  If you use a previous 1.6 release, especially if you are using ACLs
>  (other than for Known: and All:) or if you have a non-empty superuser
>  list, please follow this advice:
>
>  a) clear your superuser list immediately NOW (e.g. in wikiconfig):
>
>    superuser = []
>
>  Note: for farm-like setups with config inheritance it might be not
>  enough to comment it out - it could be set to a non-empty list in a
>  config your inherit from, so better assign the empty list.
>
>  b) if you have very sensitive content in your wiki (e.g. secret stuff
>  that must not be read by the unauthorized people or stuff were write
>  access is very critical, even if logged), it is suggested that you
>  either take away the critical access or shut the wiki down until you
>  have installed the fix.
>
>  E.g. if write access is critical, but reading is allowed for everybody:
>
>     acl_rights_before = u"All:read" # everybody can read everything,
>                                     # but noone can write
>
>  c) You have to restart your web server after making those changes.
>
>  d) Watch those pages (if you have an account on the moinmo.in wiki, you
>  can subscribe to the pages and you will be notified by email when they
>  are changed):
>
>  http://moinmo.in/     <-- used for release announcements
>
>  http://moinmo.in/SecurityFixes   <-- for security fix news
>
>  e) Download and upgrade to 1.6.3 as soon as it is available. After
>  installing the 1.6.3 code and restarting your web server (see SystemInfo
>  page), you can restore your previous acl_rights_* setup and also your
>  superuser list.
>
>  moin 1.5.x is (as far as we know) not affected by this bug, but if you
>  are still running 1.5.x you should also consider upgrading as 1.5.9 was
>  the last 1.5.x release and there won't be any updates/fixes for 1.5 any
>  more.
>
>  We are really sorry about this (the code change [it was a fix for
>  another bug] that caused this looked really harmless, but while fixing
>  that other bug, it poked a even bigger hole into security in a quite
>  unexpected way).
>
>  Thomas
>
>
>
>  -------------------------------------------------------------------------
>  This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
>  Don't miss this year's exciting event. There's still time to save $100.
>  Use priority code J8TL2D2.
>  http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
>  _______________________________________________
>  Moin-user mailing list
>  Moin-user at lists.sourceforge.net
>  https://lists.sourceforge.net/lists/listinfo/moin-user
>



-- 
'''过程改进乃是开始催生可促生靠谱的人的组织!
PI keeps evolving organizations which promoting people be good!
'''http://zoomquiet.org
Pls. usage OOo to replace M$ Office. http://zh.openoffice.org
Pls. usage 7-zip to replace WinRAR/WinZip. http://7-zip.org
You can get the truely Freedom 4 software.