You can subscribe to this list here.
2001 |
Jan
|
Feb
(1) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
---|---|---|---|---|---|---|---|---|---|---|---|---|
2002 |
Jan
(4) |
Feb
(1) |
Mar
|
Apr
|
May
|
Jun
|
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
From: Jamie M. <ja...@mc...> - 2002-07-02 15:46:59
|
Slash in CVS had a cross-site scripting (XSS or CSS) vulnerability from June 20 to July 1 (yesterday). If you are running Slashcode from one of the tarball releases -- hopefully you are on 2.2.5 -- you are unaffected, don't worry about it. But if you are running Slashcode from CVS and you updated your site between June 20 and July 1, you will need to update to the latest version in CVS now. Please do so now. An example exploit of this vulnerability has been posted to bugtraq (and Slashdot!) so you should assume that malicious users are already actively trying to attack sites. The example exploit did not include specific instructions on how to steal passwords, but this is trivial for anyone who understands XSS. The impact of this vulnerability is that malicious readers can, at worst, steal your users' passwords, including those of your admins. Even if they do not steal passwords, they can cause other kinds of havoc by inserting unwelcome HTML, including scripting attacks, into comments and such. After upgrading to the latest CVS, you should check the text fields of recent comments, journal entries, and submissions to make sure there are no scripting attacks. (Look for text like "<p " which indicates a tag that has attributes where none should be allowed. Other tags may be exploited.) If you cannot rule out the possibility of such attacks having been posted to your site, you will want to change your admins' passwords and otherwise take steps to ensure that their accounts are not compromised. Sorry about all this, but these things can happen when you're working with pre-development-release CVS. Life in the fast lane. We'll try to make sure they don't happen again. Several of the Slash coders hang out in the #slash IRC channels on openprojects.net and if you need help updating a CVS site to the latest version, we can help. If you cannot upgrade to the latest version of CVS at this time, the simpler fix is to apply the "else" clause from this one patch. Note that, if your code from CVS is not already a the vulnerable version (Data.pm v1.31 to v1.38), it will look very different from what's shown here, and you will not know where to apply the patch, which is fine because that means you're not vulnerable :) http://cvs.slashcode.com/index.cgi/slash/Slash/Utility/Data/Data.pm.diff?r1=1.38&r2=1.39 P.S. My bugtraq post said CVS between June 17 and July 1 was vulnerable; that's not correct, it's between June 20 and July 1. To be precise, Slash/Utility/Data/Data.pm versions 1.31 to 1.38. (At this moment, I'm still waiting for the bugtraq moderator to send that post through to that list.) -- Jamie McCarthy ja...@sl... |
From: Chris N. <pu...@os...> - 2002-02-07 16:47:01
|
Slash 2.2.5 is released. It is strongly recommended that you upgrade from version 2.2.0 through 2.2.4. This release fixes a cross-site scripting vulnerability which could be used to obtain passwords or other private information from both users and admins. To upgrade from 2.2.x, unpack the 2.2.5 tarball and "make install," then restart Apache and the slashd daemon. The 2.2.5 tarball can be found at <http://sourceforge.net/projects/slashcode/>. (Upgrading from 2.2.2 also entails some extremely minor SQL changes; from 2.2.1 you must update the template header;misc;default; from 2.2.0 also update the template displayForm;submit;default; from 2.2.4 update the template messages;users;default.) Earlier versions of Slash are also affected. If you are running Slash 2.0.x or 1.0.x and are unable to upgrade to 2.2.5 at this time, patches are available. http://slashcode.com/article.pl?sid=02/02/07/1624221 -- Chris Nandor pu...@po... http://pudge.net/ Open Source Development Network pu...@os... http://osdn.com/ |
From: Chris N. <pu...@po...> - 2002-01-14 17:42:53
|
Slash 2.2.4 is released. It is strongly recommended that you upgrade from version 2.2.0 through 2.2.3. This release fixes an admin.pl scripting vulnerability which could be used to obtain passwords or other private information. To upgrade from 2.2.3, unpack the 2.2.4 tarball and "make install," then restart Apache. (Upgrading from 2.2.2 also entails some extremely minor SQL changes; from 2.2.1 you must update the template header;misc;default; from 2.2.0 also update the template displayForm;submit;default.) All admins should turn off JavaScript on their browsers until the site is upgraded. There are two other minor bugfixes in this release as well (see the CHANGES file for details). http://slashcode.com/article.pl?sid=02/01/14/1738200 -- Chris Nandor pu...@po... http://pudge.net/ Open Source Development Network pu...@os... http://osdn.com/ |
From: Chris N. <pu...@os...> - 2002-01-10 16:40:25
|
[SA-2002:00] Slashcode login vulunerability RISK FACTOR: HIGH SYNOPSIS Slash, the code that runs Slashdot and many other web sites, has a vulnerability in recent versions that allows any logged-in user to log in as any other user. This allows users to take nearly full control of a Slash system (post and delete stories, posting stories, edit users, post as other users, etc., and do anything that a Slash user can do) by logging in to an adminstrator's Slash account. VULNERABLE SYSTEMS Any system running Slash 2.1.x (development versions for 2.2), 2.2.0, 2.2.1, or 2.2.2, and sites using the development code from CVS. Slash 2.0.x and previous are unaffected. RESOLUTION Slash 2.2.3 should be installed for all Slash 2.1 and 2.2 sites. Users of the development code from CVS should run cvs update and install the most recent code. In the meantime, if upgrading is not possible or will not happen immediately, site administrators should either shut down the web site or disable admin.pl and users.pl by moving them elsewhere or disabling the execution bits (Apache may need to be restarted following this). Further, site administrators should change their passwords, and check the "seclev" field in the users table to make sure no one has a seclev greater to or equal than "100" who should not have administrator privileges: mysql> SELECT uid, nickname, seclev FROM users WHERE seclev >= 100; That should list only users with some administrator privileges. Site administrators should subscribe to the slashcode-general or slashcode-announce mailing lists, to keep up to date on the latest releases and security notices. Subscription information is on the Slashcode site at http://slashcode.com/. CREDITS Daniel Bowers <da...@sa...> found and exploited the bug, and notified the Slash team. The Slash team immediately patched the code and released Slash 2.2.3 three hours after notification. CONTACT INFORMATION Chris Nandor, pu...@os... http://slashcode.com/ |
From: Chris N. <pu...@po...> - 2002-01-05 19:27:51
|
Slash 2.2.3 is released. It is very strongly recommended that you upgrade from 2.2.0, 2.2.1, or 2.2.2. http://slashcode.com/article.pl?sid=02/01/02/1959215 -- Chris Nandor pu...@po... http://pudge.net/ Open Source Development Network pu...@os... http://osdn.com/ |
From: Chris N. <pu...@po...> - 2002-01-02 20:42:41
|
Slash 2.2.2 is released. It is very strongly recommended that you upgrade from 2.2.0 or 2.2.1. http://slashcode.com/article.pl?sid=02/01/02/1959215 -- Chris Nandor pu...@po... http://pudge.net/ Open Source Development Network pu...@os... http://osdn.com/ |
From: Chris N. <pu...@po...> - 2001-11-07 16:48:18
|
Hi all. Finally, a new release of Slash! Check out the story on Slashcode for links and more information. http://slashcode.com/article.pl?sid=01/11/07/1641258 -- Chris Nandor pu...@po... http://pudge.net/ Open Source Development Network pu...@os... http://osdn.com/ |
From: Brian A. <br...@ta...> - 2001-02-15 19:04:03
|
As many of you are aware we lost our original mail server recently and have been moving mailing lists to SourceForge. I have resubscribed everyone who was on the last announcement mailing list. If you no longer want to be a member of this list, use the unsubscribe information that came with the Welcome email. Sorry for the intrusion. -Brian -- _______________________________________________________ Brian Aker, br...@ta... Slashdot Senior Developer Seattle, Washington http://tangent.org/~brian/ http://slashdot.org/ _______________________________________________________ You can't grep a dead tree. |