Security alert: SQL Injection attack for StatusNet 1.0.x and 1.1.x
Thanks to Elly Fong-Jones for identifying, and Joshua Wise for fixing, a potential SQL injection attack on all versions of StatusNet after 1.0.0. The vulnerable code is in the section that provides user lists; an attacker can extract unauthorized information from the database by crafting a particular tag format.
New versions of StatusNet have been released that include a patch to fix these errors:
- StatusNet 1.1.1 is recommended for all installations. It includes a fix for this SQL injection, additional fixes for potential (but not actual) injection errors. It also includes bug fixes for other issues.
- StatusNet 1.0.2 is recommended for StatusNet 1.0.0 and 1.0.1 users who aren't ready to upgrade to 1.1.1. It includes only the SQL injection fixes.