(copy of the mail posted on devel and user mailinglist)


We got in security group an alert 2 days ago,
pointing out several unknown (yet) vulnerabilities in all versions of

There was also another flaw still existing in tiki-graph_formula.php that was the reason of release, reported by Stefan Esser, some days before.

We worked silently on fixing, patching, testing and now we have a release. It's not in our tradition, but I also joined to the
available files 2 patches, one against version (which is quite
small and with no risk of failure) and another one against 1.9.7
version because that's the version that is still available in
fantastico for shared hosting, and it's also shipped in ubuntu (since

I urge every tikiwiki master to upgrade their version as soon as


Fixes have been copied over on 1.10 branch so cvs users for this
branch just can cvs up.

Let's also thank L4teral that reported those flaws in a very
detailled way, and helped to check the fixes. We are grateful as well for Stefan Esser / SektionEins GmbH, that helped improving the previous security fix.

The details of the flaws are explained on http://www.securityfocus.com/archive/1/482801/30/0/threaded

mose, for the Tikiwiki Security Group