[Fusionforge-general] FusionForge 5.3.2 + CVE-2014-6275

Sylvain Beucler - Inria sylvain.beucler at inria.fr
Mon Sep 22 13:59:00 CEST 2014 

Hi,

We just released FusionForge 5.3.2, which is a security and a bugfix 
release.

CVE-2014-6275 is the default activation of a 'cgi-bin/' scripts 
directory for project homepages: this feature is currently minimal and 
runs scripts under the shared Apache user, which is also used by 
FusionForge.  If your project webpages are hosted on the same server 
than FusionForge, this allows users to access on-disk data such as 
private project releases and attachments.
We now disable the project cgi-bin/ directory by default.

Since the installation process usually does not override configuration 
files (because they may have been customized), make sure you update your 
installed '/etc/<forge>/httpd.conf.d/projects-in-mainvhost.inc' and 
'/etc/<forge>/httpd.conf.d/vhost-projects.inc' files manually.

The list of bugfixes also included in this release follows:
* Software map: fix "value too long for type character varying(255)" 
error in cron db_trove_maint.php (Inria)
* Projects: fix Project name with html [#687] (TrivialDev)
* Projects: don't display admins if their account is suspended (Inria)
* Projects: member lists should check permission [#711] (TrivialDev)
* Admin: fix edit table themes, fix frs_processor sequence [#691] 
(TrivialDev)
* User SSH keys (ssh_create.php): fix harmless warning when user removes 
all her keys (Inria)
* News: don't send requests for frontpage display for private projects 
(Inria)
* Docman: fix download count [#702] (TrivialDev)
* Tracker: fix translation support [#688] (TrivialDev)
* Tracker: fix custom status extrafield not updateable using mass update 
[#712] (TrivialDev)
* Mailing lists: handle quotes and accents in description (Inria)
* SCM Reporting: fix legend block size exceed graph canvas [#718] 
(TrivialDev)
* Plugin mediawiki: fix paths in import/export scripts (Inria)
* Plugin fckeditor: dropped in favor of ckeditor
* Plugin SCM Git: suppress 'warning: You appear to have cloned an empty 
repository.' in create_scm_repos.php (Inria)
* Plugin SCM SVN: fix sql error in activity tab on init log [#715] 
(TrivialDev)
* Plugin SCM SVN: fix activity tab on empty commit log [#714] (Inria)
* Plugin SCM HG (Mercurial): fix user stats [#722] (TrivialDev)
* Plugin SCM HG (Mercurial): fix iframe size [#721] (TrivialDev)
* Plugin SCM HG (Mercurial): fix ssl setting [#723] (TrivialDev)
* Stats: handle bad encoding when gathering Git stats, remove spurious 
warning when SVN repository isn't created yet (Inria)
* Stats: fix commits count [#717] (TrivialDev, Roland Mas)
   Run 'forge_run_job gather_scm_stats.php --all' to regenerate your stats.
   Optionally, if some of your repositories have history dating from 
before the project was created on the forge, use '--allepoch' instead

Regards,
The FusionForge team.

More information about the Fusionforge-general mailing list