Hey all, We've made a new release 0.7.3 which includes a critical security fix for anyone using django-threadedcomments free comment ability. It allowed editing of free comments, but performed no checks to ensure the original poster is the person editing the comment. This enabled an attacker to modify comments, but this also reset the owner to that person which could allow attacker to delete comments. This has been corrected in django-threadedcomments 0.5.3 (included in Pinax 0.7.3). Free commenting editing has been disabled entirely. If you were relying on it you should be aware of the issues this presents and we would love a better contribution for improving this for your use cases.
This release has some other minor fixes. At some point we will release a version of 0.7.X with better Django 1.2 support (0.7.3 does include an improved django-generic-flatblocks which supports 1.2). Our development focus has been on 0.9 which only supports 1.2+. If you really need 1.2+ it might be best to look that way. Downloads are available at the usual URLs: http://pinaxproject.com/docs/ Thanks all. -- Brian Rosner http://oebfare.com http://twitter.com/brosner -- You received this message because you are subscribed to the Google Groups "Pinax Core Development" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/pinax-core-dev?hl=en.
