concrete5 5.6.3.1 Released

concrete5 5.6.3.1 was released on Friday. The new version includes “better mobile support for dashboard”, improved performance for multilingual websites, and bug fixes. The new version also fixes two cross-site scripting (XSS) vulnerabilities and a “potential email buffer overflow bug”.

More information is available in the release notes.

Posted in concrete5, Security Update | Leave a comment

MediaWiki 1.19.15 Released

MediaWiki 1.19.15 was released yesterday. The new version fixes a bug that causes “pages to appear blank or with missing text” when using PCRE 8.34. The 1.22 series had this bug fixed in 1.22.1, which was released in January. The 1.21 series has not been fixed yet.

 

Posted in MediaWiki | Leave a comment

MediaWiki 1.19.14, 1.21.8, and 1.22.5 Released

MediaWiki 1.19.14, 1.21.8, and 1.22.5 were released yesterday. The new versions include a security enhancement – adding a CSRF token on Special:ChangePassword – and bug fixes.

More information is available in the release announcement for 1.19.14, 1.21.8, and 1.22.5.

Posted in MediaWiki, Security Update | Leave a comment

TYPO3 6.2 Released

TYPO3 6.2 was released yesterday. The new version includes an improved File Abstraction Layer, new tools for making sure websites work well of mobile devices, and more. An updated installer and a compatibility layer for TYPO3 4.5 extension should make the upgrade process fairly smooth, especially for the many websites currently running TYPO3 4.5. The new version also includes security enhancements that are especially helpful for protecting high profile websites:

We enhanced security in this latest release: saltedpassword is now used by default for the Install Tool and all backend users. No more insecure hashes in the database! Also using it for frontend users is highly encouraged and possible since TYPO3 4.3. We’ve implemented CSRF protection throughout the whole TYPO3 Backend, even in Ajax calls. A new click-jacking protection minimizes the risk of users being lured into performing backend actions which they are not wanting to do. cookieHttpOnly is now enabled by default.

More information is available in the release notice and the release notes.

Posted in Security Update, TYPO3 | Leave a comment

PrestaShop 1.6.0.5 Released

PrestaShop 1.6.0.5 was released yesterday. This is the first production release of PrestaShop 1.6. In the front office there is a new mobile responsive default theme, new promotional banners, and more. The back office has also been made mobile responsive and includes more business performance metrics.

More information is available in the release announcement.

Posted in PrestaShop | Leave a comment

concrete5 5.6.3 Released

concrete5 5.6.3 was released yesterday. The new version includes a number of new features including built localization and numerous bug fixes. The new version also includes “improved user password hashing, security improvements and hardening”.

More information is available in the release notes.

Posted in concrete5, Security Update | Leave a comment

Revive Adserver 3.0.3 Released

Revive Adserver 3.0.3 was released today. The version includes a number of bug fixes and some new features, including “support for WebM videos in the IAB Video plugin”

The new version also removes the Zend XML-RPC library. The version of library that shipped with OpenX and prior versions of Revive Adserver contained a security vulnerability. The vulnerability was not exploitable in Revive Adserver, but could have been exploitable if a plugin used the library. We would like to thank the Revive Adserver team for dealing with this security issue after we reported it to them, unlike OpenX whom we contacted in July of 2012 to alert them to the vulnerability but never received any response.

More information is available in the release notice.

Posted in Revive Adserver, Security Update | Leave a comment

MediaWiki 1.19.13, 1.21.7, and 1.22.4 Released

MediaWiki 1.19.13, 1.21.7, and 1.22.4 were released yesterday. MediaWiki 1.19.3 fixes a security issue and all the new versions include a bug fix.

More information is available in the release announcement for 1.19.13, 1.21.7, and 1.22.4.

Posted in MediaWiki, Security Update | Leave a comment

Moodle 2.4.9, 2.5.5, and 2.6.2 Released

Moodle 2.4.9, 2.5.6, and 2.6.2 were released today. The new versions include “small improvements”, bug fixes, and security fixes. Details of the security vulnerabilities fixed will be released later.

Update (March 17, 2014): Moodle has now released information on the security issues fixed in the releases.The new versions fix three serious vulnerabilities, two that could lead improper access and one that could allow “students to see pages of other students’ individual wikis”.

More information is available in the release notes for 2.4.9, 2.5.5, and 2.6.2.

Posted in Moodle, Security Update | Leave a comment

Joomla 2.5.19 and 3.2.3 Released

Joomla 2.5.19 and 3.2.3 were released today. The new versions fix a number of bugs and fix several security issues. The security fixes include a high priority SQL injection vulnerability fixed in 3.2.3 and a medium priority unauthorized login vulnerability fixed in both versions.

More information is available in the release announcements for 2.5.19 and 3.2.3.

Posted in Joomla, Security Update | Leave a comment