Main Stories
Slash Boxes

Slash Open Source Project

Slashcode Log In

Log In

[ Create a new account ]

Slash 2.2.4 Released

posted by pudge on 12:27 PM January 14th, 2002   Printer-friendly   Email story
Slash 2.2.4 is released. It is strongly recommended that you upgrade from version 2.2.0 through 2.2.3. This release fixes an scripting vulnerability which could be used to obtain passwords or other private information.

Download it via HTTP or and FTP, and read the README and changelog.

Upgrading from 2.2.2 also entails some extremely minor SQL changes; from 2.2.1 you must update the template header;misc;default; from 2.2.0 also update the template displayForm;submit;default.

All admins should turn off JavaScript on their browsers until the site is upgraded.

There are two other minor bugfixes in this release as well (see the CHANGES file for details).

This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
More | Login
Loading... please wait.
  • What SQL changes have taken place? I've been updating from 2.2.0 to the latest as these bugs have appeared, but now that there seems to be a SQL change, and it's not really documented, I'm a little concerned.........

    It's either on the beat or off the beat, it's that easy.
  • Where is in the release? I'm trying to get the 'friend/foe' installed on my slash site, but can't find the plugin anywhere. Is anyone running it besides slashdot and here?
    • It's in the development branch of the CVS tree.
      lottadot []
    • Its development. Its not finished and I am currently redoing the schema to add in some more features. Its not really ready for primetime yet.

      You can't grep a dead tree.
  • by Anonymous Coward
    Is there something you can grep for in logs to see if this exploit has been used on a site?

    • from the notice at the oreilly site [], i gather you just have to look for users with permissions set higher than warranted---in other words, only your authors should have permissions set higher than 1 (or whatever). To quote:

      Once Slash has been upgraded, users should check their users seclev field to insure that no unauthorized user has a value equal to or greater than 100, and should change their passwords.

      So just look at the db directly, something like

      select uid, nickname, seclev from users where seclev>1;