The eZ Publish 3.9.4 and 3.8.10 releases fix two security issues of medium severity. These releases also fix several reported bugs. As we only maintain the last two major releases, this marks the end of eZ Publish 3.8.x support. The supported major releases are now eZ Publish 3.9.x and eZ Publish 3.10.x.
The issues mentioned below are not critical for most users, but they have been assigned a medium severity level. This is because the issues might be used to reveal content that was not meant to be visible. [EZSA-2007-004] Keyword fetch function did not take "hidden" flag into account Severity : Medium The template function for fetching objects that contain specified keywords did not take into account whether the returned nodes were hidden. For example, in the standard eZ Publish distribution, it was possible for users to access hidden blog posts using the tag cloud. http://ez.no/developer/security/security_advisories/ez_publish_3_9/ezsa_2007_004_keyword_fetch_function_did_not_take_hidden_flag_into_account [EZSA-2007-005] "Browse" view of the "content" module did not take "hidden" flag into account Severity : Medium The "browse" view of the "content" module did not take into account whether the requested node was hidden. This could expose the name of hidden nodes to users who do not have the access permissions to see them. However, only the name of the node was exposed, not the entire contents of the object. Also, in order to exploit this error, the user would need to know or guess the node ID. http://ez.no/developer/security/security_advisories/ez_publish_3_9/ezsa_2007_005_browse_view_of_the_content_module_did_not_taken_hidden_flag_into_account eZ Publish 3.9.4 changelog http://ez.no/download/ez_publish/changelogs/ez_publish_3_9/changelog_3_9_3_to_3_9_4 eZ Publish 3.8.10 changelog http://ez.no/download/ez_publish/changelogs/ez_publish_3_8/changelog_3_8_9_to_3_8_10 The releases are available for download from the eZ Publish download page. http://ez.no/download/ez_publish Best regards, Vidar L -- [EMAIL PROTECTED] | eZ systems | ez.no -- Sdk-public mailing list [email protected] http://lists.ez.no/mailman/listinfo/sdk-public
