[Fusionforge-general] FusionForge 5.3.2 + CVE-2014-6275

Sylvain Beucler - Inria sylvain.beucler at inria.fr
Tue Sep 23 09:28:31 CEST 2014


Hi,

Download links :)
https://fusionforge.org/frs/?group_id=6
https://fusionforge.org/frs/download.php/file/49/fusionforge-5.3.2.tar.bz2

Cheers!
Sylvain

Le 2014-09-22 13:59, Sylvain Beucler - Inria a écrit :
> Hi,
>
> We just released FusionForge 5.3.2, which is a security and a bugfix 
> release.
>
> CVE-2014-6275 is the default activation of a 'cgi-bin/' scripts 
> directory for project homepages: this feature is currently minimal and 
> runs scripts under the shared Apache user, which is also used by 
> FusionForge.  If your project webpages are hosted on the same server 
> than FusionForge, this allows users to access on-disk data such as 
> private project releases and attachments.
> We now disable the project cgi-bin/ directory by default.
>
> Since the installation process usually does not override configuration 
> files (because they may have been customized), make sure you update 
> your installed '/etc/<forge>/httpd.conf.d/projects-in-mainvhost.inc' 
> and '/etc/<forge>/httpd.conf.d/vhost-projects.inc' files manually.
>
> The list of bugfixes also included in this release follows:
> * Software map: fix "value too long for type character varying(255)" 
> error in cron db_trove_maint.php (Inria)
> * Projects: fix Project name with html [#687] (TrivialDev)
> * Projects: don't display admins if their account is suspended (Inria)
> * Projects: member lists should check permission [#711] (TrivialDev)
> * Admin: fix edit table themes, fix frs_processor sequence [#691] 
> (TrivialDev)
> * User SSH keys (ssh_create.php): fix harmless warning when user 
> removes all her keys (Inria)
> * News: don't send requests for frontpage display for private projects 
> (Inria)
> * Docman: fix download count [#702] (TrivialDev)
> * Tracker: fix translation support [#688] (TrivialDev)
> * Tracker: fix custom status extrafield not updateable using mass 
> update [#712] (TrivialDev)
> * Mailing lists: handle quotes and accents in description (Inria)
> * SCM Reporting: fix legend block size exceed graph canvas [#718] 
> (TrivialDev)
> * Plugin mediawiki: fix paths in import/export scripts (Inria)
> * Plugin fckeditor: dropped in favor of ckeditor
> * Plugin SCM Git: suppress 'warning: You appear to have cloned an 
> empty repository.' in create_scm_repos.php (Inria)
> * Plugin SCM SVN: fix sql error in activity tab on init log [#715] 
> (TrivialDev)
> * Plugin SCM SVN: fix activity tab on empty commit log [#714] (Inria)
> * Plugin SCM HG (Mercurial): fix user stats [#722] (TrivialDev)
> * Plugin SCM HG (Mercurial): fix iframe size [#721] (TrivialDev)
> * Plugin SCM HG (Mercurial): fix ssl setting [#723] (TrivialDev)
> * Stats: handle bad encoding when gathering Git stats, remove spurious 
> warning when SVN repository isn't created yet (Inria)
> * Stats: fix commits count [#717] (TrivialDev, Roland Mas)
>   Run 'forge_run_job gather_scm_stats.php --all' to regenerate your 
> stats.
>   Optionally, if some of your repositories have history dating from 
> before the project was created on the forge, use '--allepoch' instead



More information about the Fusionforge-general mailing list