[Fusionforge-general] FusionForge 5.3.2 + CVE-2014-6275
Sylvain Beucler - Inria
sylvain.beucler at inria.fr
Mon Sep 22 13:59:00 CEST 2014
We just released FusionForge 5.3.2, which is a security and a bugfix
CVE-2014-6275 is the default activation of a 'cgi-bin/' scripts
directory for project homepages: this feature is currently minimal and
runs scripts under the shared Apache user, which is also used by
FusionForge. If your project webpages are hosted on the same server
than FusionForge, this allows users to access on-disk data such as
private project releases and attachments.
We now disable the project cgi-bin/ directory by default.
Since the installation process usually does not override configuration
files (because they may have been customized), make sure you update your
installed '/etc/<forge>/httpd.conf.d/projects-in-mainvhost.inc' and
'/etc/<forge>/httpd.conf.d/vhost-projects.inc' files manually.
The list of bugfixes also included in this release follows:
* Software map: fix "value too long for type character varying(255)"
error in cron db_trove_maint.php (Inria)
* Projects: fix Project name with html [#687] (TrivialDev)
* Projects: don't display admins if their account is suspended (Inria)
* Projects: member lists should check permission [#711] (TrivialDev)
* Admin: fix edit table themes, fix frs_processor sequence [#691]
* User SSH keys (ssh_create.php): fix harmless warning when user removes
all her keys (Inria)
* News: don't send requests for frontpage display for private projects
* Docman: fix download count [#702] (TrivialDev)
* Tracker: fix translation support [#688] (TrivialDev)
* Tracker: fix custom status extrafield not updateable using mass update
* Mailing lists: handle quotes and accents in description (Inria)
* SCM Reporting: fix legend block size exceed graph canvas [#718]
* Plugin mediawiki: fix paths in import/export scripts (Inria)
* Plugin fckeditor: dropped in favor of ckeditor
* Plugin SCM Git: suppress 'warning: You appear to have cloned an empty
repository.' in create_scm_repos.php (Inria)
* Plugin SCM SVN: fix sql error in activity tab on init log [#715]
* Plugin SCM SVN: fix activity tab on empty commit log [#714] (Inria)
* Plugin SCM HG (Mercurial): fix user stats [#722] (TrivialDev)
* Plugin SCM HG (Mercurial): fix iframe size [#721] (TrivialDev)
* Plugin SCM HG (Mercurial): fix ssl setting [#723] (TrivialDev)
* Stats: handle bad encoding when gathering Git stats, remove spurious
warning when SVN repository isn't created yet (Inria)
* Stats: fix commits count [#717] (TrivialDev, Roland Mas)
Run 'forge_run_job gather_scm_stats.php --all' to regenerate your stats.
Optionally, if some of your repositories have history dating from
before the project was created on the forge, use '--allepoch' instead
The FusionForge team.
More information about the Fusionforge-general