Important security alert for all versions of StatusNet

Evan Prodromou's picture
Submitted by Evan Prodromou on Mon, 02/01/2010 - 14:58

 This morning at 9AM we received notice of a security vulnerability in all versions of the StatusNet software. The StatusNet team has verified the vulnerability and identified a separate but similar vulnerability in another block of code. For these reasons, we've issued Security Alert 0000002 and made new versions of all three branches of our software available for download.

 
We've also issued a new version of the old branch, 0.7.x, to service users who haven't yet upgraded to the stable version. We opted not to upgrade the name of this version to avoid any unnecessary effort on the part of upgraders.

 
We highly recommend that all users of the StatusNet software upgrade to a newer version immediately.
 
Thanks to Mark Piper for identifying the vulnerability and alerting the StatusNet development team. The vulnerability is in the online help documentation feature. Carefully crafted URLs provided by the attacker can force the Web server to serve arbitrary files from the filesystem. An attacker can use this vulnerability to retrieve important security files from the system. More information at Security Alert 0000002.
 

Trackback URL for this post:

http://status.net/trackback/307

Comments

Post new comment

Please note that blog comments are not monitored by our support staff. If you need assistance please visit our forums at forum.status.net or see the Support page for other options.
The content of this field is kept private and will not be shown publicly.
CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
18 + 1 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.