dl 0.11 is now officially available for download at: http://www.thregr.org/~wavexx/software/dl/releases/dl-0.11.zip
The Thunderbird Addon is now also publicly supported, and can be downloaded here: http://www.thregr.org/~wavexx/software/dl/thunderbird.html The extension/xpi is also contained in the full dl distribution (this page is just a stand-alone download with a small installation tutorial for Thunderbird users). The "dl-wx" pre-built binary has also been refreshed for dl 0.11: http://www.thregr.org/~wavexx/software/dl/files/dl-wx-0.11-win32.zip Release notes for this release: dl 0.11: 05/07/2013 ------------------- * Fixed CSRF vulnerability of the admin interface (discovered by Dirk Reimers). * Mitigations against session fixation attacks (discovered by Dirk Reimers). * Fixed CSRF vulnerability of the REST interface when used in combination with HTTP/external authentication. * Improved client-side validation of the forms (with HTML5/JS where available). * Password hashing for the user/ticket/grant DB switched to PHPass. * Progress bar updating improvements. * Thunderbird integration is now available through the new included extension "Thunderbird-Filelink-DL", which converts attachments to links automatically. * Minor bug/cosmetic fixes. Please note: DL 0.11 requires a database schema update! Please read the database upgrade procedure in the README! Upgrading to DL 0.11 has implication for existing users. The new hashing scheme limits usernames to 60 characters and passwords to 72 to prevent DoS attacks. Users having usernames/passwords exceeding these limits won't be able to login after the upgrade, and can only be managed manually through the command line. The password hash of existing users is automatically rehashed using the new scheme upon a successful login (no password change is required). The optional password of tickets and grants is similarly affected and upgraded transparently upon successful usage. Tickets/grants having passwords longer than 72 characters though will require a manual password reset. To fully prevent CSRF attacks on the REST interface when used in combination with HTTP authentication the protocol has been broken. Clients (such as the supplied "dl-wx") require an upgrade, though new clients can still communicate to an old server. ------------------- Thanks again to all the testers, contributors and translators that made this release possible.
