(copy of the mail posted on devel and user mailinglist)

yo

We got in security group an alert 2 days ago,
pointing out several unknown (yet) vulnerabilities in all versions of
Tikiwiki.

There was also another flaw still existing in tiki-graph_formula.php that was the reason of 1.9.8.1 release, reported by Stefan Esser, some days before.

We worked silently on fixing, patching, testing and now we have a
1.9.8.2 release. It's not in our tradition, but I also joined to the
available files 2 patches, one against 1.9.8.1 version (which is quite
small and with no risk of failure) and another one against 1.9.7
version because that's the version that is still available in
fantastico for shared hosting, and it's also shipped in ubuntu (since
feisty).

I urge every tikiwiki master to upgrade their version as soon as
possible.

http://sourceforge.net/project/showfiles.php?group_id=64258&package_id=112134&release_id=549549

Fixes have been copied over on 1.10 branch so cvs users for this
branch just can cvs up.

Let's also thank L4teral that reported those flaws in a very
detailled way, and helped to check the fixes. We are grateful as well for Stefan Esser / SektionEins GmbH, that helped improving the previous security fix.

The details of the flaws are explained on http://www.securityfocus.com/archive/1/482801/30/0/threaded


cheers,
mose, for the Tikiwiki Security Group