Forum: FusionForge 5.3.2 available

Posted by: Sylvain Beucler
Date: 2014-09-23 07:27
Summary: FusionForge 5.3.2 available
Project: FusionForge

Content:

We just released FusionForge 5.3.2, which is a security and a bugfix release.

It's available at:
https://fusionforge.org/frs/?group_id=6
https://fusionforge.org/frs/download.php/file/49/fusionforge-5.3.2.tar.bz2

CVE-2014-6275 is the default activation of a 'cgi-bin/' scripts directory for project homepages: this feature is currently minimal and runs scripts under the shared Apache user, which is also used by FusionForge. If your project webpages are hosted on the same server than FusionForge, this allows users to access on-disk data such as private project releases and attachments.
We now disable the project cgi-bin/ directory by default.

Since the installation process usually does not override configuration files (because they may have been customized), make sure you update your installed '/etc/<forge>/httpd.conf.d/projects-in-mainvhost.inc' and '/etc/<forge>/httpd.conf.d/vhost-projects.inc' files manually.

The list of bugfixes also included in this release follows:
* Software map: fix "value too long for type character varying(255)" error in cron db_trove_maint.php (Inria)
* Projects: fix Project name with html [#687] (TrivialDev)
* Projects: don't display admins if their account is suspended (Inria)
* Projects: member lists should check permission [#711] (TrivialDev)
* Admin: fix edit table themes, fix frs_processor sequence [#691] (TrivialDev)
* User SSH keys (ssh_create.php): fix harmless warning when user removes all her keys (Inria)
* News: don't send requests for frontpage display for private projects (Inria)
* Docman: fix download count [#702] (TrivialDev)
* Tracker: fix translation support [#688] (TrivialDev)
* Tracker: fix custom status extrafield not updateable using mass update [#712] (TrivialDev)
* Mailing lists: handle quotes and accents in description (Inria)
* SCM Reporting: fix legend block size exceed graph canvas [#718] (TrivialDev)
* Plugin mediawiki: fix paths in import/export scripts (Inria)
* Plugin fckeditor: dropped in favor of ckeditor
* Plugin SCM Git: suppress 'warning: You appear to have cloned an empty repository.' in create_scm_repos.php (Inria)
* Plugin SCM SVN: fix sql error in activity tab on init log [#715] (TrivialDev)
* Plugin SCM SVN: fix activity tab on empty commit log [#714] (Inria)
* Plugin SCM HG (Mercurial): fix user stats [#722] (TrivialDev)
* Plugin SCM HG (Mercurial): fix iframe size [#721] (TrivialDev)
* Plugin SCM HG (Mercurial): fix ssl setting [#723] (TrivialDev)
* Stats: handle bad encoding when gathering Git stats, remove spurious warning when SVN repository isn't created yet (Inria)
* Stats: fix commits count [#717] (TrivialDev, Roland Mas)
Run 'forge_run_job gather_scm_stats.php --all' to regenerate your stats.
Optionally, if some of your repositories have history dating from before the project was created on the forge, use '--allepoch' instead
Monitor Forum | Start New Thread Start New Thread
Welcome to fusionforge-5.3.2-available [ Reply ]
By: Sylvain Beucler on 2014-09-22 12:06
[forum:791]
Welcome to fusionforge-5.3.2-available