[Savane-announce] Savane Release 1.0.2: bugfixes, cosmetics improvements and security fixes (March 29, 2004 - 15:07)


Hash: SHA1


Savane 1.0.2 is released today. Some bugfixes/tasks were planned for
this release, but are postponed, since this release cover one
significant security fix, that could lead to remote code execution by
the webserver user, using the file frontend/php/include/vars.php.

You are advised to update your copy ASAP. In itself, it cannot be a
significant problem, but with other security holes on a webserver,
it could lead to the worse.
This bug does not explain Savannah's november compromise, as this code
was not in the running Savane version during the compromise, and we  
are not aware of any exploit made with that bug.

- - The release tracking has been made with the item task #247 at Gna!

- - Tarball gpg-signed by myself is available at

- - Changes from 1.0.1 to 1.0.2:

        * Cosmetics improvements (closes: bugs #303, bugs #290).
        * Fix spelling issues (closes: bugs #307)
        * Code cleanups (closes: task #257).
        * Fix side effect at the end of user/project list (closes: bugs #296).
        * Fix PHP Warnings when commenting a support request (closes:
          bugs #280).
        * Update i18n.
        * Remove the X-Copy to header from the mail sents but send mails
          with one call to mail(), in order to send one mail, with one
        * Dependencies list mention if an item is closed (closes: task #263).
        * Fix Disabling CVS under Active Features method so it prevents
          CVS links from main page (closes: bugs #299).
        * Allow dashes by default for group names (closes: bugs #292).
        * Fix history info for global notification (closes: bugs
        * Fix global notification settings cancelling notification,
          thanks to Sylvain Beucler (closes: bugs #314).
        * No longer automatically [ and ] to items pointers, as
          altering content proves to be more frequently annoying than
        * Follows RFC822 and quote real names in From: and To: mail
          headers whenever appropriate (closes: bugs #313).
        * Show with icons whether dependant items are closed (closes:
          task #264).
        * Fix a bug that caused bookmarks to no longer being named
          properly (closes: bugs #285).
        * $feedback is now converted to html entities (closes: bugs #320).
        * Security fix to avoid remote code execution by the webserver. 

I'd like to thanks Sylvain Beucler for the frequent reports he made,
helping us to improve the software for this 1.0.2 release, and Lorenzo
Hernandez Garcia-Hierro for the security checks, that found out the
vars.php bug. 


- -- 
Mathieu Roy

  | General Homepage:           http://yeupou.coleumes.org/             |
  | Computing Homepage:         http://alberich.coleumes.org/           |
  | Not a native english speaker:                                       |
  |     http://stock.coleumes.org/doc.php?i=/misc-files/flawed-english  |
Version: GnuPG v1.2.4 (GNU/Linux)


You are on the gna.org mail server.

Generated by mhonarc 2.6.8, Mon Mar 29 15:17:25 2004