Autumn is the season of security alerts. Here we have a new one, and then a new release.
Get the new version 184.108.40.206 of Tikiwiki right now or you will burn in hell.
(copy of the mail posted on devel and user mailinglist)
We got in security group (firstname.lastname@example.org) an alert 2 days ago,
pointing out several unknown (yet) vulnerabilities in all versions of
There was also another flaw still existing in tiki-graph_formula.php that was the reason of 220.127.116.11 release, reported by Stefan Esser, some days before.
We worked silently on fixing, patching, testing and now we have a
18.104.22.168 release. It's not in our tradition, but I also joined to the
available files 2 patches, one against 22.214.171.124 version (which is quite
small and with no risk of failure) and another one against 1.9.7
version because that's the version that is still available in
fantastico for shared hosting, and it's also shipped in ubuntu (since
I urge every tikiwiki master to upgrade their version as soon as
Fixes have been copied over on 1.10 branch so cvs users for this
branch just can cvs up.
Let's also thank L4teral that reported those flaws in a very
detailled way, and helped to check the fixes. We are grateful as well for Stefan Esser / SektionEins GmbH, that helped improving the previous security fix.
The details of the flaws are explained on http://www.securityfocus.com/archive/1/482801/30/0/threaded
mose, for the Tikiwiki Security Group