Main Stories
Slash Boxes

Slash Open Source Project

Slash 2.2.6 Released

posted by jamiemccarthy on 02:34 PM July 3rd, 2002   Printer-friendly   Email story
Slash 2.2.6 is released. It is strongly recommended that you upgrade from any prior version in 2.2 (i.e. 2.2.0 through 2.2.5). This release fixes a cross-site scripting (XSS or CSS) vulnerability which could be used to obtain passwords or other private information from both users and admins.

Please be aware that this is not related to the XSS vulnerability in CVS which was fixed earlier this week. This is a separate vulnerability, similar consequences, equally serious.

The vulnerable Slash versions are these: 2.2.0 through 2.2.5, and pre-release Slash in CVS up through July 1. Other versions are not vulnerable.

To upgrade from 2.2.5, unpack the 2.2.6 tarball and "make install," then restart Apache and the slashd daemon. The 2.2.6 tarball is available via SourceForge.net and FTP.

Upgrading from earlier 2.2.x versions involves slight additional effort. From 2.2.4, update the template messages;users;default. From 2.2.2, there are also some extremely minor SQL changes. From 2.2.1 you must update the template header;misc;default; and from 2.2.0, also update the template displayForm;submit;default.

If you are running Slash from CVS, hopefully you saw yesterday's notice to upgrade for the other (again, unrelated) XSS vulnerability, and upgraded your site to current CVS, and therefore are not affected by this.

We do not believe that attackers "in the wild" have exploited this, but please update quickly anyway.

This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
 Full
 Abbreviated
 Hidden
More | Login
Loading... please wait.
  • Hi,

    the reason I ask is, that I can't update anymore, because the wishes of our customer lead to changes nearly everywhere in the 2.2.5 code.
    Nevertheless I would be glad to fix these holes.
    So could you answer this question or send me the file names via e-mail?

    this would be greatly appreciated!

    kind regards,
    Tom
    --

    funny, there's a brightness dial on the monitor, but the users don't get any smarter

    • Or just be so kind to explain, if this vulnerabilty is limited to injection of malicious html code via comments/articles.
      As we don't allow any html code in articles or comments, we wouldn't be affected...

      kind regards,
      Tom

      --

      funny, there's a brightness dial on the monitor, but the users don't get any smarter

    • Okay,
      as far as I found information about this possible attack, it's fixed

      kind regards,
      Tom

      --

      funny, there's a brightness dial on the monitor, but the users don't get any smarter

    • I am in a similar situation - I have been keeping up with the fixes by doing a diff on the releases and manually applying the differences:

      diff -r slash-2.2.5 slash-2.2.6

      if this is not a good idea, let me know!
    • Look at the link into CVS.
      What changes did you make?
      --

      --
      You can't grep a dead tree.
      • What changes did you make?
        I delete all html in submitted/edited comments/storys and delete then all parameters supplied with the custom tags used for formatting.
        The complete list of changes to slash: impossible to say.
        The reason is, that at first our customer agreed to use slash the way it works at first. As the responsible guy (a major PITA, if I may add this remark) saw what this means he freaked out. Despite the fact that everthing was settled in an hourly discussion weeks before, he now insisted on major changes to everthing. We wanted to provide something superior, and he wanted phpBB.
        Things reusable for other slashsites will hopefully be realeased soon. I programmed some changes to the mailit2 plugin (they should be incorporated in the next release) and a new plugin that allows to maintain the static pages from within a very (very!) simple cms-like interface, this should be usable for small to midsize sites without a big performance penalty
        the site is at http://www.krankenkasse.de
        kind regards,
        tom
        --

        funny, there's a brightness dial on the monitor, but the users don't get any smarter

    • If you're using CVS, you could probably do something like this:

      cd  /usr/local/src/slash/fry/slash
        (or whevever your checkout of slash version _fry_ is)
      cvs update -dP
      cvs diff -rv2_2_5_0 >  /tmp/difflist

      and then view the  /tmp/difflist file. I'm no cvs expert, but I think that'll show you what files have changed.
      --
      lottadot [lottadot.com]
  • ...if I have heavily customized everything? I have been reading about template-tool, and dumping that out, then re-introducing the changes to the new version, but what about plugins, images, etc.?

    I've also been trying to read up on the move to CVS - seems a bit daunting, what with the customization and all, but the features...ahh the features...

    Any advice from long-time Slash users on updating? What's the best way?

    -CG  :)

    • Have your changes been in the libs and scripts or just in templates?
      If just templates chreate a theme for yourself. Once you have a theme for your site it is quite easy to keep it updated.
      --

      --
      You can't grep a dead tree.
    • you'll find that actually maintaining a file/log that tracks your changes/alterations to the base code makes it real easy to either progress, contribute, or otherwise abandon them as development moves forward. a larger project would be to maintain a theme. i do the former and need to get into the latter.
      • This is a GREAT idea.

        I've never even given much thought to it. I usually just make a change and just as quickly forget about it (at least if it works). Sometimes, I'll just put comments in whatever I'm changing, but keeping a separate file/log that shows all of the changes made to various scripts/files is one of those simple ideas I keep forgetting. It's like the old saying, "If you don't write it down, it didn't happen".

        Thanks for the reminder of the simple tip.
  • by Anonymous Coward
    This may be a silly question. I've updated and everything seems to be running smoothly, but I'd like to check the current running version is 2.2.6. Where can I get Slash's version from?

    -Yorrike

  • I am in the process of upgrading from a month-old CVS version to current CVS, and am having to run down some mysql schema changes. For example, a month ago there was no "last_update" column in the "sections" table, but now I need one. Is there a simple way to bring my database schema up to date without losing any of my data? Also, is there a way to even find out what schema changes have been made? I still don't see any entries made in the CHANGES file since version 2.0, or any logs at all of changes like t
    • Doh. My bad. I just figured out the version comments in the "upgrades" sql file. I was pulling change info out of there, but didn't realize it was a linear file time-wise. Sorry!

      I thought it was meant to run in it's entirety for upgrading from a tarball release, and I had it stuck in my head that it was organized by schema, not by version.

      Anyway, I had found all but a couple changes by hand from the httpd logs and fixed them, now that I understand the upgrades file better I pulled out some of the less visible alterations and applied them as well.

      I still think it would be good to provide some info in the top-level readme that points out where stuff like this can be found and used so impatient blowhards like me will find it faster.  ;)
      • Write a FAQ on upgrading from CVS. Just use your current experience. I am sure it would be appreciated.
        --

        --
        You can't grep a dead tree.
  • Saying that no attackers have been found "in the wild" is a blatant lie. The bug was used earlier today on Macslash of all places (which is running a 1.something version) and was used to change all links to everyone's favorite ass-strecthing web site.

    Of course, the bug was first found [sourceforge.net] after being used to refer people on slashdot to same site.

    Obviously, EVERYONE needs to update. Not just post-2.2.0 users.

    The Macslash comments (not the redirect itself, as it was deleted) describing what happened can be fou