Autumn is the season of security alerts. Here we have a new one, and then a new release.
Get the new version 22.214.171.124 of Tikiwiki right now or you will burn in hell.
(copy of the mail posted on devel and user mailinglist)
We got in security group an alert 2 days ago,
pointing out several unknown (yet) vulnerabilities in all versions of
There was also another flaw still existing in tiki-graph_formula.php that was the reason of 126.96.36.199 release, reported by Stefan Esser, some days before.
We worked silently on fixing, patching, testing and now we have a
188.8.131.52 release. It's not in our tradition, but I also joined to the
available files 2 patches, one against 184.108.40.206 version (which is quite
small and with no risk of failure) and another one against 1.9.7
version because that's the version that is still available in
fantastico for shared hosting, and it's also shipped in ubuntu (since
I urge every tikiwiki master to upgrade their version as soon as
Fixes have been copied over on 1.10 branch so cvs users for this
branch just can cvs up.
Let's also thank L4teral that reported those flaws in a very
detailled way, and helped to check the fixes. We are grateful as well for Stefan Esser / SektionEins GmbH, that helped improving the previous security fix.
The details of the flaws are explained on http://www.securityfocus.com/archive/1/482801/30/0/threaded
mose, for the Tikiwiki Security Group