From 5ko at 5ko.fr Sun Jun 21 16:03:39 2009 From: 5ko at 5ko.fr (Petko Yotov) Date: Sun, 21 Jun 2009 23:03:39 +0200 Subject: [pmwiki-announce] PmWiki 2.2.2 released -- AuthUser security bugfix. Message-ID: <200906212303.39800.5ko@5ko.fr> Hello. I have released pmwiki-2.2.2 stable today, available at : http://www.pmwiki.org/pub/pmwiki/pmwiki-2.2.2.tgz http://www.pmwiki.org/pub/pmwiki/pmwiki-2.2.2.zip svn://www.pmwiki.org/pmwiki/tags/latest The major news in this release is a fix for an AuthUser vulnerability, reported by Eemeli Aro. The vulnerability affects only wikis that (1) rely on the AuthUser core module for User:Password authentication, -AND- (2) where the PHP installation runs with the variable "magic_quotes_gpc" disabled. All PmWiki 2.1.x versions from pmwiki-2.1.beta6 on, all 2.2.betaX, 2.2.0, and 2.2.1 are affected. The PmWiki SiteAnalyzer can detect if your wiki needs to upgrade: http://www.pmwiki.org/wiki/PmWiki/SiteAnalyzer If your wiki is vulnerable, you should do one of the following at the earliest opportunity: * Upgrade to a version of PmWiki at least 2.2.2 or greater. * Turn on magic_quotes_gpc in the php.ini file or in a .htaccess file. Alternatively, you can temporarily disable AuthUser until you upgrade. Note that even if your wiki does not have the AuthUser vulnerability at the moment, you are strongly encouraged to upgrade to PmWiki version 2.2.2 or later, as some future configuration of your hosting server might put you at risk. If upgrading poses a difficulty for any site, please contact me at 5ko at 5ko.fr for assistance and a patch for older versions of PmWiki can be made available. This release also comes with minor updates in the local documentation; fixes were applied for international wikis - notably global variables in xlpage-utf-8.php and a new variable $EnableNotifySubjectEncode, which allows e-mail clients to correctly display the Subject header; and a number of other small bugs were fixed. Comments, questions are welcome as always. Thanks, Petko