Subject: CVS commit: pkgsrc/www/geeklog
To: None <pkgsrc-changes@NetBSD.org>
From: Takahiro Kambe <taca@netbsd.org>
List: pkgsrc-changes
Date: 07/01/2006 00:22:38 
Module Name:	pkgsrc
Committed By:	taca
Date:		Sat Jul  1 00:22:38 UTC 2006

Modified Files:
	pkgsrc/www/geeklog: Makefile PLIST distinfo
Removed Files:
	pkgsrc/www/geeklog/patches: patch-ag

Log Message:
Update geeklog-1.4.0.4 (1.4.0sr3).

----------------------------------------------------------------------------

Two exploits have been released by "rgod" for insecure Geeklog installations
and for a bug in the "mcpuk" file manager that we've been shipping as part of
FCKeditor in all previous 1.4.0 releases.

 o  Some of the files outside of the public_html directory were not protected
    against direct execution. If Geeklog was installed such that those files
    were accessible from a URL (which has always been strongly discouraged in
    the installation instructions) then those files could be used to load and
    execute malicious code from a remote server.

    More information: So-called Geeklog "exploit" posted

    In this release, we've added the missing execution prevention for all files
    outside of public_html. We would still, however, suggest that you fix your
    Geeklog install if the files outside of public_html are accessible from a
    URL (see our FAQ for details).
 o  The "mcpuk" file manager that we've integrated into FCKeditor allowed the
    upload of arbitrary PHP code (even if FCKeditor was disabled in Geeklog's
    config.php). Depending on your webserver's configuration, it was then
    possible to execute that uploaded code.

    More information: Exploit for FCKeditor's mcpuk file manager

    The file manager has been removed from this release. You will therefore no
    longer be able to upload files, e.g. images, through FCKeditor. Future
    versions of Geeklog will ship with an updated version of FCKeditor and its
    included file manager.

Note: This release also includes the updated lib-trackback.php for better
protection against Trackback spam.

----------------------------------------------------------------------------

First problem dosen't related to pkgsrc.


To generate a diff of this commit:
cvs rdiff -r1.5 -r1.6 pkgsrc/www/geeklog/Makefile
cvs rdiff -r1.2 -r1.3 pkgsrc/www/geeklog/PLIST pkgsrc/www/geeklog/distinfo
cvs rdiff -r1.1 -r0 pkgsrc/www/geeklog/patches/patch-ag

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.