On Mon, Apr 21, 2008 at 3:06 AM, Thomas Waldmann <[EMAIL PROTECTED]> wrote: > Hi, > Hoohoooo! quick upgrade! great wiki engine! just in time flowing u! > I just wanted to announce that we are currently in final testing of the > 1.6.3 release - after having worked over the weekend to fix some > critical security issues. > > If you use a previous 1.6 release, especially if you are using ACLs > (other than for Known: and All:) or if you have a non-empty superuser > list, please follow this advice: > > a) clear your superuser list immediately NOW (e.g. in wikiconfig): > > superuser = [] > > Note: for farm-like setups with config inheritance it might be not > enough to comment it out - it could be set to a non-empty list in a > config your inherit from, so better assign the empty list. > > b) if you have very sensitive content in your wiki (e.g. secret stuff > that must not be read by the unauthorized people or stuff were write > access is very critical, even if logged), it is suggested that you > either take away the critical access or shut the wiki down until you > have installed the fix. > > E.g. if write access is critical, but reading is allowed for everybody: > > acl_rights_before = u"All:read" # everybody can read everything, > # but noone can write > > c) You have to restart your web server after making those changes. > > d) Watch those pages (if you have an account on the moinmo.in wiki, you > can subscribe to the pages and you will be notified by email when they > are changed): > > http://moinmo.in/ <-- used for release announcements > > http://moinmo.in/SecurityFixes <-- for security fix news > > e) Download and upgrade to 1.6.3 as soon as it is available. After > installing the 1.6.3 code and restarting your web server (see SystemInfo > page), you can restore your previous acl_rights_* setup and also your > superuser list. > > moin 1.5.x is (as far as we know) not affected by this bug, but if you > are still running 1.5.x you should also consider upgrading as 1.5.9 was > the last 1.5.x release and there won't be any updates/fixes for 1.5 any > more. > > We are really sorry about this (the code change [it was a fix for > another bug] that caused this looked really harmless, but while fixing > that other bug, it poked a even bigger hole into security in a quite > unexpected way). > > Thomas > > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by the 2008 JavaOne(SM) Conference > Don't miss this year's exciting event. There's still time to save $100. > Use priority code J8TL2D2. > > http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone > _______________________________________________ > Moin-user mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/moin-user >
-- '''过程改进乃是开始催生可促生靠谱的人的组织! PI keeps evolving organizations which promoting people be good! '''http://zoomquiet.org Pls. usage OOo to replace M$ Office. http://zh.openoffice.org Pls. usage 7-zip to replace WinRAR/WinZip. http://7-zip.org You can get the truely Freedom 4 software. ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone _______________________________________________ Moin-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/moin-user
