Announcing CMS Made Simple 1.6.7 - Teremba Bay
Feb 23, 2010 by Ted Kulp
This is a security release, with the bonus of having some feature and bug fixes as well. It's recommended that you upgrade as soon as possible, since this flaw has been published and could possible be being exploited as we speak.
Thanks to Beenu Arora and 0x6a616d6573 for testing and pointing out the flaws.
Below is the full list of changes. Enjoy!
Version 1.6.7 - Teremba Bay
-----------------------------
- #3999 Upload a file with apostrophe make problem
- #4137 small text typo in admin/login.php
- #4192 Extra Page Attribute's are listed in the wrong order
- #4208 Don't show inactive template in the page 404
- #4431 UDT names not validated when being edited
- Improvements to XML module generation
- Fixes to prevent possible remote file inclusion vulnerabilities
- Minor improvements to the News module
- New version of TinyMCE
- Improvements to File Manager and Image Manager
- Improvements to Module Manager; upgrade now possible from the "Available Upgrades"-tab
- Adsense-plugin modified, to accept the ad_slot parameter
Thanks to Beenu Arora and 0x6a616d6573 for testing and pointing out the flaws.
Below is the full list of changes. Enjoy!
Version 1.6.7 - Teremba Bay
-----------------------------
- #3999 Upload a file with apostrophe make problem
- #4137 small text typo in admin/login.php
- #4192 Extra Page Attribute's are listed in the wrong order
- #4208 Don't show inactive template in the page 404
- #4431 UDT names not validated when being edited
- Improvements to XML module generation
- Fixes to prevent possible remote file inclusion vulnerabilities
- Minor improvements to the News module
- New version of TinyMCE
- Improvements to File Manager and Image Manager
- Improvements to Module Manager; upgrade now possible from the "Available Upgrades"-tab
- Adsense-plugin modified, to accept the ad_slot parameter
17 Responses to "Announcing CMS Made Simple 1.6.7 - Teremba Bay"
On: Feb 23, 2010, swx said:
Thanks, excellent work as usual :-) And upgrade went fine, everything still up & running after a few tests.
On: Feb 23, 2010, Ken said:
Woo, hoo! It's nice to see the dev team is still on top!
On: Feb 24, 2010, Russ said:
Good work but the "cmsmadesimple-base-diff-1.6.6-1.6.7.tar.gz" file seems to "spurious" empty files in the root, perhaps elsewhere?
action.savetoolbar.php
function.admin_toolbar.php
safari
toolbarpanel.tpl
Please advise,
Russ
On: Feb 24, 2010, Knut Auvor Grythe said:
Why are you bundling a serious security update with almost 5000 lines of other stuff? That is not a "bonus", it is outrageously impractical!
When a serious security issue pops up, you want to be able to upgrade quickly, without using a lot of time for testing. New features or non-critical patches are the exact opposite. I will not rush-install a huge release on a Wednesday morning without testing to see if it will break any of the sites I administer. However, I will gladly apply a 4-line security update (after a quick review of course).
Do not misunderstand, I really appreciate your swift response after the bug was made known, but I do not approve of bundling it with a ton of other changes. You should just have released the new lib/classes/class.module.inc.php as a stand-alone security release, and followed it with the non-critical stuff in a separate release, instead of forcing me to dig out the security patch from a 5000 line diff.
I'm pretty sure that most of your users are people who would actually consider all that other stuff a "bonus" and would not test the software before upgrading anyway, but please do not assume that this applies to everyone. Serious system administrators do not roll that way. At the very least, we want to delay non-critical updates until when we have time to handle any issues the users might experience.
Also, releasing security patches separately clearly shows that you take immediate action, which leaves security-concerned administrators with a very good impression. When you bundle it with a lot of other stuff, it is easy to think that you either made the security patch wait while you completed non-critical stuff, or that you rushed out new features because a security flaw showed up. Both alternatives leave me with a bad taste in my mouth. It could also be the case that you actually had a new release ready at the exact moment you were told about the flaw, but this is not what the security-concerned system administrator will find the most likely scenario.
I understand that CMSMS is made by unpaid volunteers, and that I can't expect everything, but in this case it is very easy to make your project look a lot better for administrators concerned with both security and user experience, so I felt I should let you know.
On: Feb 24, 2010, Ivan O'Donoghue said:
Thanks for the updates. Must check whats new in the new version of TinyMCE.
On: Feb 24, 2010, Totophe said:
I can understand the frustration here.
It could maybe be a good idea to do the following things:
- Have an integrate solution for upgrading minor revisions from CMSMS itself (like modules or wordpress)
- Reserve the third number only for security and bug fixes while the second number is reserved to extra features (could be complicate to manage tough)
What is planned for the CMSMS 2 ? ;-)
Anyway, good job folks !
On: Feb 24, 2010, Paul Baker said:
Ref. the empty files - see Ted's post on the forum (Announcements) at
http://forum.cmsmadesimple.org/index.php/topic,41830.0.html
He is aware of it.
On: Feb 24, 2010, Knut Auvor Grythe said:
Actually, there's no need for changing anything. Simply releasing 1.6.7 with the security fix as the only change would suffice. One could then release 1.6.8 with the other changes. It could even be done the same day.
If you really wanted to, you could give it a separate naming scheme like "1.6.6.1", "1.6.6.r1", "1.6.6 Patch Level 1" or something like that, but I doubt there is any need. These things hopefully won't happen that often anyway. An integrated solution for minor revisions would almost certainly be overkill. WordPress probably probably has one because they have an awful security track record, so they have to push patches quite often.
You can find the plans for CMSMS 2 by selecting "Development -> Roadmap" in the menu, by the way.
On: Feb 24, 2010, eRage said:
Ted, thanks a lot for this update. Great CMS you got there and I can't wait till 2.0.
On: Feb 25, 2010, Peter said:
Very nice, painless and easy update. Thanks for all your hard work.
On: Feb 27, 2010, steven said:
New version still have tinymce problem?
the message is:
Warning: include(/home1/swtungco/public_html/manukahoney2/modules/TinyMCE/function.admin_profiles.php) [function.include]: failed to open stream: �S�����@�ɮשΥؿ� in /home1/swtungco/public_html/manukahoney2/modules/TinyMCE/action.defaultadmin.php on line 45
Warning: include() [function.include]: Failed opening '/home1/swtungco/public_html/manukahoney2/modules/TinyMCE/function.admin_profiles.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home1/swtungco/public_html/manukahoney2/modules/TinyMCE/action.defaultadmin.php on line 45
On: Mar 1, 2010, Mary said:
Easy to upgrade and I get really nervous about such things. Thanks for all the hard work. Made a donation (again) because I have used lots of similar programs but found CMS Made Simple really is simple and has loads of features.
On: Mar 3, 2010, Chris said:
It is good to hear positive feedback regarding the upgrade and fixes...but to a complete CMSMS novice can anyone point me to the right place to start, or is there a process map that i can follow please??
On: Mar 11, 2010, Barbara Kite said:
Need some help and don't know where to turn as my web designed as vanished on me with $300 I gave as a down payment to enhance my site!!. Just changed my id and password and can't get in the my admin stuff. now what?
