Geeklog Documentation

Geeklogの変更詳細履歴

public_html/docs/historyをHTML化し、翻訳したものです。

December 9, 2015 (2.1.1)

July 12, 2014 (2.1.0)

Mar 29, 2013 (2.0.0)

Mar 8, 2013 (2.0.0rc3)

Feb 19, 2013 (2.0.0rc2)

このリリースは以下のセキュリティーの問題を修正:

セキュリティーの問題以外の修正:

Feb 19, 2013 (1.8.2sr1)

このリリースは以下のセキュリティーの問題を修正:

セキュリティーの問題以外の修正:

Dec 30, 2012 (1.8.2)

Oct 12, 2012 (2.0.0rc1)

Jul 13, 2012 (2.0.0b2)

May 24, 2012 (2.0.0b1)

最新開発状況は本家リポジトリを。

Oct 9, 2011 (1.8.1)

Sep 11, 2011 (1.8.1rc1)

Jun 12, 2011 (1.8.0)

このリリースは2010 Google Summer of Codeプロジェクトの成果であるAkeda Bagusさんの コンフィギュレーションを含んでいます(入力値の整合チェックと検索)。

1.8.0rc2からの変更:

Jun 2, 2011 (1.8.0rc2)

1.8.0rc1からの変更:

May 8, 2011 (1.8.0rc1)

1.8.0b2からの変更:

Apr 25, 2011 (1.8.0b2)

1.8.0b1からの変更:

Apr 3, 2011 (1.8.0b1)

このリリースは2010 Google Summer of Codeプロジェクトの成果であるAkeda Bagusさんの コンフィギュレーションを含んでいます(入力値の整合チェックと検索)。

Calendar Plugin

Links Plugin

Polls Plugin

Static Pages Plugin

XMLSitemap Plugin

Feb 20, 2011 (1.7.2)

注意: Geeklog 1.7.2はPHP 4で動作する最後のGeeklogのバージョンです。必要な場合は、このバージョンのセキュリティ修正を2012年まで提供します。新しい機能はPHP 5.2.0以上を要求するGeeklog 1.8.0以降のバージョンのみに追加します。詳細はgeeklog.netのアナウンスを参照してください。

Jan 2, 2011 (1.7.1sr1)

このリリースでは以下のセキュリティの問題に対処しました:

YGN Ethical Hacker GroupのAung Khant氏が管理者のコンフィギュレーションパネルにXSSが存在すると報告があり、修正しました。

Oct 31, 2010 (1.7.1)

カレンダープラグイン

Oct 10, 2010 (1.7.1rc1)

静的ページプラグイン

May 9, 2010 (1.7.0)

Geeklog 1.7.0 からは、2009 Google Summer of CodeのStan Palatnik氏の成果により、PostgreSQLをサポートします。

1.7.0rc1からの変更:

May 2, 2010 (1.7.0rc1)

1.7.0b1からの変更

カレンダープラグイン

リンクプラグイン

アンケートプラグイン

Spam-Xプラグイン

静的ページプラグイン

Apr 4, 2010 (1.7.0b1)

カレンダープラグイン

リンクプラグイン

アンケートプラグイン

Spam-Xプラグイン

静的ページプラグイン 1.6.2

Jan 2, 2011 (1.6.1sr2)

このリリースでは以下のセキュリティの問題に対処しました:

YGN Ethical Hacker GroupのAung Khant氏が管理者のコンフィギュレーションパネルにXSSが存在すると報告があり、修正しました。

May 9, 2010 (1.6.1sr1)

このリリースは以下のセキュリティ対策を行いました:

(長い期間有効なクッキーを使用している)自動ログインは辞書攻撃に対して脆弱性があります。この問題は、Nine SituationsグループのBookoo氏から2009年4月に受けた報告の1つでしたが、Geeklogチームはどうも見落としていたようです。これを指摘していただいた geeklog.net のユーザー Jack に感謝します。

Nov 22, 2009 (1.6.1)

1.6.1rc1以降の変更点:

静的ページプラグイン

Nov 8, 2009 (1.6.1rc1)

1.6.1b1以降の変更点:

リンクプラグイン

静的ページプラグイン

Nov 1, 2009 (1.6.1b1)

カレンダープラグイン 1.1.1

リンクプラグイン

アンケート(Polls)プラグイン

静的ページプラグイン 1.6.1

Aug 30, 2009 (1.6.0sr2)

このリリースでは以下のセキュリティ対策を行いました:

セキュリティと関係のない変更点:

また、このリリースでは更新されたヘブライ語(提供: LWC)とドイツ語の言語ファイルを含んでいます。

July 30, 2009 (1.6.0sr1)

このリリースでは以下のセキュリティ対策を行いました:

セキュリティと関係のない変更点:

July 19, 2009 (1.6.0)

Geeklog 1.6.0は、以下のGoogle Summer of Code 2008の間に実装されたプロジェクトが取り込まれています:

1.6.0rc2からの変更点:

July 12, 2009 (1.6.0rc2)

1.6.0rc1からの変更点:

Jun 28, 2009 (1.6.0rc1)

1.6.0b3からの変更点:

Jun 21, 2009 (1.6.0b3)

1.6.0b2からの変更点:

カレンダープラグイン

アンケートプラグイン

静的ページプラグイン

XMLサイトマッププラグイン

May 31, 2009 (1.6.0b2)

1.6.0b1からの変更点:

アンケートプラグイン

静的ページプラグイン

XMLサイトマッププラグイン

May 1, 2009 (1.6.0b1)

カレンダープラグイン

リンクプラグイン

アンケートプラグイン

スパム-X

静的ページプラグイン

May 9, 2010 (1.5.2sr6)

このリリースは以下のセキュリティ対策を行いました:

(長い期間有効なクッキーを使用している)自動ログインは辞書攻撃に対して脆弱性があります。この問題は、Nine SituationsグループのBookoo氏から2009年4月に受けた報告の1つでしたが、Geeklogチームはどうも見落としていたようです。これを指摘していただいた geeklog.net のユーザー Jack に感謝します。

July 30, 2009 (1.5.2sr5)

このリリースでは以下のセキュリティ対策を行いました:

Apr 18, 2009 (1.5.2sr4)

このリリースでは以下のセキュリティ対策を行いました:

Nine SituationsグループのBookoo氏から、usersettings.php の古いバグが対象となる、さらに別のSQLインジェクション脆弱性の報告がありました。前回の問題と同様に、攻撃者は任意のアカウントのパスワードハッシュ値を取得可能でしたが、このリリースで問題を修正しました。

Apr 13, 2009 (1.5.2sr3)

このリリースでは以下のセキュリティ対策を行いました:

Nine SituationグループのBookoo氏から、また別のSQLインジェクションの脆弱性が webservices API に存在すると報告がありました。前回の問題と同様に、攻撃者は任意のアカウントのパスワードのハッシュ値を取得可能でしたが、このリリースで問題を修正しました。

セキュリティには無関係な問題

インストールスクリプトに関数get_SPX_Verを再び採り入れました。これは、古いリリースのGeeklogからのアップグレードするときにまだ必要でした。(報告: Sheila) [Dirk]

Apr 4, 2009 (1.5.2sr2)

このリリースでは以下のセキュリティ対策を行いました:

Nine Situations グループの Bookoo氏から、glFusion に対してSQLインジェクションの脆弱性の報告がありましたが、これに Geeklog も該当していました。この問題によって、攻撃者は任意のアカウントのパスワードのハッシュ値を取得可能でしたが、このリリースで問題を修正しました。

Mar 30, 2009 (1.5.2sr1)

このリリースでは以下のセキュリティ対策を行いました:

Fernando Munoz氏から、管理者用問い合わせの殆んどのフォームにXSSの可能性があると報告がありましたので、このリリースでそれらの問題を修正しました。

Feb 8, 2009 (1.5.2)

静的ページプラグイン

Jan 24, 2009 (1.5.2rc1)

カレンダープラグイン

リンクプラグイン

アンケートプラグイン

静的ページプラグイン

Sep 22, 2008 (1.5.1)

Sep 7, 2008 (1.5.1rc1)

カレンダープラグイン

リンクプラグイン

アンケートプラグイン

静的ページプラグイン

June 15, 2008 (1.5.0)

Geeklog 1.5.0には、以下のGoogle Summer of Code 2007における開発成果が取り込まれている:

1.5.0rc2からの変更

June 8, 2008 (1.5.0rc2)

1.5.0rc1からの変更

May 25, 2008 (1.5.0rc1)

1.5.0b2からの変更

カレンダープラグイン

May 20, 2008 (1.5.0b2)

1.5.0b1からの変更

リンクプラグイン

アンケートプラグイン

静的ページプラグイン

May 5, 2008 (1.5.0b1)

Serendipity [Dirk]

カレンダープラグイン(1.0.2)

リンクプラグイン(2.0.0)

アンケートプラグイン(2.0.1)

Spam-Xプラグイン(1.1.1)

静的ページプラグイン (1.5.0)

Dec 31, 2006 (1.4.1)

Dec 17, 2006 (1.4.1rc1)

Nov 5, 2006 (1.4.1b2)

Calendar plugin

Links plugin

Sep 17, 2006 (1.4.1b1)

Calendar plugin (1.0.0)

Links plugin (1.0.1)

Polls plugin (1.1.0)

Spam-X plugin (1.1.0)

静的ページプラグイン (1.4.3)

July 23, 2006 (1.4.0sr5-1)

This release fixes display problems in the comment preview that were only in Geeklog 1.4.0sr5 (as a result of the fix for the XSS).

The complete 1.4.0sr5-1 tarball also includes the following language files:

July 16, 2006 (1.4.0sr5)

JPCERT/CC informed us about a possible XSS in the comment handling that we're with this release.

June 30, 2006 (1.4.0sr4)

Two exploits have been released by "rgod" for insecure Geeklog installations for a bug in the "mcpuk" file manager that we've been shipping as part of in all 1.4.0 releases.

May 28, 2006 (1.4.0sr3)

The Security Science Researchers Institute Of Iran reported the following security issues:

An internal code review also revealed a possible SQL injection in story.

Mar 5, 2006 (1.4.0sr2)

Security issues:

Feb 19, 2006 (1.4.0sr1)

Security issues:

James Bercegay of GulfTech Security Research reported several issues with Geeklog's cookie handling that made it vulnerable to SQL injections, arbitrary file access, and even injection and execution of arbitrary code.
Bugfixes:

Feb 5, 2006 (1.4.0)

Jan 22, 2006 (1.4.0rc2)

Dec 31, 2005 (1.4.0rc1)

Nov 20, 2005 (1.4.0b1)

Links plugin 1.0.0

Polls plugin 1.0.0

Spam-X plugin 1.0.3

July 16, 2006 (1.3.11sr7)

JPCERT/CC informed us about a possible XSS in the comment handling that we're with this release.

May 28, 2006 (1.3.11sr6)

The Security Science Researchers Institute Of Iran reported the following security issues:

An internal code review also revealed a possible SQL injection in story submissions.

Mar 5, 2006 (1.3.11sr5)

Security issue:

Feb 19, 2006 (1.3.11sr4)

Security issues:

Dec 12, 2005 (1.3.11sr3)

Security issues:

Bugfixes:

Oct 9, 2005 (1.3.11sr2)

This release provides security enhancements and better spam protection originally developed for Geeklog 1.3.12. It also addresses a few bugs where the bugfix could be integrated with a reasonable amount of work (other bugfixes will have to wait for the 1.3.12 release).

Security and Spam protection:

Please note that MT-Blacklist (used by Spam-X) has recently been discontinued. For the time being, we provide the last version of the blacklist for download from geeklog.net (the Spam-X plugin as included in this release is configured to get it from there for the initial import). There will, however, be no updates the blacklist. For details, please see http://www.geeklog.net/article.php/mt-blacklist-discontinued

Bugfixes:

Improvements:

Language files:

Aug 21, 2005 (Spam-X plugin 1.0.2)

Jul 3, 2005 (1.3.11sr1)

This release addresses the following security issue:

Stefan Esser found an SQL injection that can, under certain circumstances, be exploited to extract user data such as the user's password hash.

Dec 31, 2004 (1.3.11)

Geeklog 1.3.11 addresses the following security issues:

  1. It was possible to submit stories anonymously even if anonymous submissions were turned off in config.php (reported by Barry Wong). These stories still ended up in the submission queue, though, unless you disabled it in config.php.
  2. Some of the parameters in link and event submissions weren't filtered, leaving them open to potential SQL injections.
  3. The links for the What's Related block were created from the unfiltered story text, opening the possibility of XSS attacks (reported by Vincent Furia).

Bugfixes:

Dec 22, 2004 (1.3.11rc1)

Nov 28, 2004 (1.3.10)

Nov 21, 2004 (1.3.10rc3)

Oct 24, 2004 (1.3.10rc2)

Oct 17, 2004 (1.3.10rc1)

Language files

静的ページプラグイン 1.4.1

Mar 5, 2006 (1.3.9sr5)

This release addresses the following security issues:

Jul 3, 2005 (1.3.9sr4)

This release addresses the following security issue:

Stefan Esser found an SQL injection that can, under certain circumstances, be exploited to extract user data such as the user's password hash.

Dec 31, 2004 (1.3.9sr3)

This release addresses 2 security issues:

  1. It was possible to submit stories anonymously even if anonymous submissions were turned off in config.php (reported by Barry Wong). These stories still ended up in the submission queue, though, unless you disabled it in config.php.
  2. Some of the parameters in link and event submissions weren't filtered, leaving them open to potential SQL injections.

Oct 8, 2004 (1.3.9sr2)

This release addresses 2 security issues:

Non-security related fixes:

Jun 1, 2004 (1.3.9sr1)

This release addresses the following security issues:

Non-security related fixes:

Mar 14, 2004 (1.3.9)

Mar 7, 2004 (1.3.9rc3)

Feb 29, 2004 (1.3.9rc2)

Feb 16, 2004 (1.3.9rc1)

Updated: comment/startcomment.thtml

静的ページプラグイン 1.4

Please see docs/staticpages.html for details.

Oct 8, 2004 (1.3.8-1sr6)

This release addresses 2 security issues:

Jun 1, 2004 (1.3.8-1sr5)

This release fixes a bug due to which it was possible to post anonymous even when anonymous comment posting had been switched off in .php.

To upgrade from Geeklog 1.3.8-1sr4 to 1.3.8-1sr5, simply upload the included .php, replacing the file of the same name on your webserver.

January 26, 2004 (1.3.8-1sr4)

This release addresses the following security issues:

  1. It was possible for users in the Group Admin and User Admin groups to become a member of the Root group (reported by Samuel M. Stone, bug #135).
  2. Being admin for a certain area (e.g. Story Admin for stories) made it possible to delete all objects in that area (e.g. stories) even if the user was not supposed to have access to them, provided the id of the object was known.
  3. It was possible to delete other people's personal events if you knew the event ID.
  4. It was possible to browse through the comments of a story even if the user did not have access to the actual story (reported by Peter Roozemaal).
  5. Due to an XSS issue, it was possible to change someone's account settings (including the password) if you got them to click on a specially crafted link (reported by Jelmer, fix suggested by Vincent Furia).
  6. The comment display suffered from the possibility of an SQL injection (reported by Jelmer).
  7. It was possible to inject Javascript code in the calendar (reported by Jelmer).
  8. It was possible to execute (but not save) Javascript code in the comment preview (reported by Jelmer).

December 5, 2003 (1.3.8-1sr3)

This release addresses the following security-related issues:

  1. As "dr.wh0" pointed out, the category field for link submissions was not filtered at all. Although you probably can't cause too much harm with those 32 characters, this has now been fixed.
  2. Vincent Furia found that the restrictions for the form to email users could be circumvented and could even be used to spam users.
    In addition to fixing theses issues, there is now also a speed limit on that form (defaults to the speed limit for story submissions).
  3. There was a way to post comments anonymously even when posting for anonymous users had been disabled.
  4. It was possible to post comments under someone else's username.

October 14, 2003 (1.3.8-1sr2)

Jouko Pynnonen found a way to trick the new "forgot password" feature, in 1.3.8, into letting an attacker change the password for _any_. This release addresses this issue - there were no other changes.

The only thing you need to do is to replace the file users.php on your site the file that comes with this tarball. It's suggested that you change the version number in your config.php to '1.3.8-1sr2' afterwards.

Please note that only Geeklog 1.3.8, 1.3.8-1, and 1.3.8-1sr1 are affected, as this feature did not exist in earlier versions.

October 12, 2003 (1.3.8-1sr1)

This release is intended to address some of the security issues reported in September and early October 2003.

  1. Includes Ulf Harnhammar's kses HTML filter to address possible Javascript injections and CSS defacements.
  2. When upgrading from an earlier version, please make sure to copy over the $_CONF['user_html'] and $_CONF['admin_html'] arrays from the included config.php to your own copy of that file.
  3. While almost all of the alleged SQL injection issues could not be reproduced, this release includes an update to the MySQL class to not report SQL errors in the browser any more (but only in Geeklog's error.log). This will avoid disclosing any sensitive information as part of the error message.
    Please note that at the moment we do NOT recommend to use Geeklog with MySQL 4.1 (which, at the time of this writing, is in alpha state and should not be used on production sites anyway).
    An upcoming release of Geeklog will address the remaining SQL issues, including any problems with MySQL 4.1.

Other fixes (not security-related):

August 9, 2003 (1.3.8-1)

July 17, 2003 (1.3.8)

July 6, 2003 (1.3.8rc2)

June 29, 2003 (1.3.8rc1)

静的ページプラグイン 1.3

Please see docs/staticpages.html for details.

January 26, 2004 (1.3.7sr5)

This release addresses the following security issues:

  1. It was possible for users in the Group Admin and User Admin groups to become a member of the Root group (reported by Samuel M. Stone, bug #135).
  2. Being admin for a certain area (e.g. Story Admin for stories) made it possible to delete all objects in that area (e.g. stories) even if the user was not supposed to have access to them, provided the id of the object was known.
  3. It was possible to delete other people's personal events if you knew the event ID.
  4. It was possible to browse through the comments of a story even if the user did not have access to the actual story (reported by Peter Roozemaal).
  5. Due to an XSS issue, it was possible to change someone's account settings (including the password) if you got them to click on a specially crafted link (reported by Jelmer, fix suggested by Vincent Furia).
  6. The comment display suffered from the possibility of an SQL injection (reported by Jelmer).
  7. It was possible to inject Javascript code in the calendar (reported by Jelmer).
  8. It was possible to execute (but not save) Javascript code in the comment preview (reported by Jelmer).

December 5, 2003 (1.3.7sr4)

This release addresses the following security-related issues:

  1. As "dr.wh0" pointed out, the category field for link submissions was not filtered at all. Although you probably can't cause too much harm with those 32 characters, this has now been fixed.
  2. Vincent Furia found that the restrictions for the form to email users could be circumvented and could even be used to spam users.
  3. There was a way to post comments anonymously even when posting for anonymous users had been disabled.
  4. It was possible to post comments under someone else's username.

October 12, 2003 (1.3.7sr3)

This release is intended to address some of the security issues reported in September and early October 2003.

  1. Includes Ulf Harnhammar's kses HTML filter to address possible Javascript injections and CSS defacements.
  2. When upgrading from an earlier version, please make sure to copy over the $_CONF['user_html'] and $_CONF['admin_html'] arrays from the included config.php to your own copy of that file.
  3. While almost all of the alleged SQL injection issues could not be reproduced, this release includes an update to the MySQL class to not report SQL errors in the browser any more (but only in Geeklog's error.log).
    This will avoid disclosing any sensitive information as part of the error message.
    Please note that at the moment we do NOT recommend to use Geeklog with MySQL 4.1 (which, at the time of this writing, is in alpha state and should not be used on production sites anyway).
    An upcoming release of Geeklog will address the remaining SQL issues, including any problems with MySQL 4.1.

May 26, 2003 (1.3.7sr2)

Security issues:

January 13, 2003 (1.3.7sr1)

Security issues:

  1. Javascript code could be used in the homepage link of a user's profile (reported by Jin Yean Tan).
  2. Javascript code could be injected in several URLs so that these could then be used for a cross-site scripting attack (reported by Jin Yean Tan).
  3. Anybody could delete comments, provided they knew the comment id.
  4. A StoryAdmin could manipulate any story, even if permissions should have prevented that. The same applied to Admins for links, events, polls, topics, and blocks (reported by Kobaz).

December 16, 2002 (1.3.7)

December 3, 2002 (1.3.7rc1)

Localisation:

September 20, 2002 (1.3.6)

August 28, 2002 (1.3.6rc1)

July 8, 2002 (1.3.5sr2)

June 10, 2002 (1.3.5sr1)

April 24, 2002 (1.3.5)

March 7, 2002

March 1, 2002

February 22, 2002

February 22, 2002

January 11, 2001

November XX, 2001

August 21, 2001

August 17, 2001

August 3, 2001

August 1, 2001

July 19, 2001

May 29, 2001

Released 1.2b. Changes are below:

September 24, 2000

Tar'ed it up and shipped 1.1 out the door!

September 24, 2000

September 18, 2000

September 13, 2000

September 12, 2000

September 9, 2000

September 8, 2000

September 7, 2000

September 6, 2000

September 5, 2000

September 4, 2000

September 1, 2000

Fixed a bug in the database upgrade scripts.

RELEASE!!! 1.0!!! - August 29, 2000

Tar'ed it up and shipped 1.0 out the door!

August 29, 2000

Fixed a bug in the command and control center which didn't allow the display to be completely updated after a batch moderation.

August 28, 2000

August 27, 2000

August 26, 2000

August 22, 2000

August 21, 2000

August 20, 2000

August 19, 2000

August 18, 2000

August 14, 2000

August 13, 2000

August 12, 2000

August 11, 2000

August 7, 2000

August 7, 2000

August 6, 2000

August 5, 2000

BETA RELEASE!!! 0.5!!! - August 3, 2000

August 2, 2000

July 30, 2000

July 27, 2000

July 26, 2000

July 25, 2000

July 24, 2000

July 23, 2000

July 22, 2000

<editor problems, change log for 0.4.1.2 - 0.4.1.1 lost>

BETA RELEASE!!! 0.4.1!!! - July 19, 2000

July 19, 2000

BETA RELEASE!!! 0.4.0!!! - July 8, 2000

July 8, 2000

July 5, 2000

July 4, 2000

BETA RELEASE!!! 0.3.0!!! - July 3, 2000

July 3, 2000

July 2, 2000

BETA RELEASE!!! 0.2.1!!! - July 1, 2000

July 1, 2000

June 30, 2000

BETA RELEASE!!! 0.2.0!!! - June 29, 2000

June 29, 2000

June 28, 2000

BETA RELEASE!!! 0.1.0!!! - June 27, 2000

June 27, 2000

June 26, 2000

June 25, 2000

June 24, 2000

June 23, 2000

June 21, 2000

June 20, 2000

June 19, 2000

June 18, 2000

June 17, 2000