Official Foswiki Weblog

The Foswiki project has just been through one of the rare situations where one of our users discover a serious security issue in our software.

It was one of those moments where many developers were thinking: “Why didn’t I see this?”. Many of us felt embarrassed.

It is a fact of life that when you have humans developing technology, things can and will go wrong. You can do a lot of minimize the risk, and the Foswiki project has conducted serious security reviews on the extensive rewrite of our code that took place from 1.0 to 1.1. And we have found and fixed issues before we even got close to releasing any code to the public, and the Foswiki project has had am impressive security record.

But the 1.1.0 release we missed a small issue where one code line had been moved down a few lines too many and we ended up not authenticating the user properly in a specific situation.

This could be a sad story but it isn’t. This situation showed what difference it makes to have a large and strong community behind an open source project.

First I want to give the timeline of what the events on the 9th and 10th of November.

• 09 Nov 2010 a little before noon CET a user asks a very good question on the Foswiki support web. He could not understand what he did wrong in setting up access rights because no matter how he did it, he was able to edit and save preferences in topics he did not have access rights to.
• Within a few hours a Foswiki developer read the support question. And to his horror the report was correct. The minute he realized the nature of the problem the support question was changed so it could only be viewed by the reporter and the Foswiki Security Task Team
• The next few hours the Foswiki security mailing list, which only the security team has access to, is glowing with emails. Five hours after the issue was reported a code fix has been made and tested by the security team members. The time is now near 18:00.
• At 18:00 I become aware of the situation and the security team quickly assess the issue and conclude that it is a security level 2 issue. This means that we have a goal to respond within 48 hours and will provide a fix and a security alert which will be provided to the people that subscribe to our low traffic announcement mailing list.
• It is decided that we will release a 1.1.2 as fast as we possibly can. We assess which urgent bugs we want to include in addition to the security fix.
• The next 8 hours are amazing. Many members of the security team works all night fixing and testing a short list of important bugs. A test of a new version of the Wysiwyg editor is conducted and merged in. Code is checked in and reviewed and tested at a rapid pace. Code is even thrown out again because it was decided to be too risky. Additional developers are pulled into the IRC channel we have created for the event to get the last review on code fixes.
• At 19:30 I request a CVE number from MITRE. And they are fantastic at MITRE. We have the number already 20:00.
• At 23:00 the security announcement and response plan is written and is being reviewed and agreed by the security team.
• At 02:00 the 10 Nov 2010 the 1.1.2 release is built and uploaded to our servers for download.
• At 02:30 the release announcement is sent to the Foswiki announcement mailing list
• At 02:35 the security announcement is sent to the Foswiki announcement mailing list

So we actually managed to react, assess, fix, finish a release, build release, and announce within 14 hours.

As I write this, I have just sent the the security announcement to the public security sites (48 hours after we did the announcement on the Foswiki mailing lists).

When I think back now on what happened I feel proud.
Proud that we managed to act like professionels even though we all work as volunteers on the project.
Proud because I am part of such a strong development team that care about the security of our users, and care about each other.
Proud because as a release manager located in Denmark I had people in USA, Mexico, Germany, France, UK, Australia, Netherlands being available helping, testing, coding, reviewing, and encouraging. I had a team backing me up getting the release out and getting the announcements out.

It shows the power of open source projects when they are supported by a committed and dedicated community.

Kenneth Lavrsen

Foswiki Release Manager
Leader of the Foswiki Security Task Team
Member of the board of the Foswiki Association

klavrsen Security community, cve, foswiki, Security

On behalf of the entire Foswiki community I can proudly announce that the release of the Foswiki release 1.1.1  is available for download at

Foswiki web site: http://foswiki.org/Download/FoswikiRelease01×01x01

Foswiki 1.1.1 is a release that fixes some important bugs that were introduced in 1.1.0. It is highly recommended that all running 1.1.0 upgrade to 1.1.1.

The entire Foswiki community has been busy the past weeks with very quick responses to the bug reports on 1.1.0. There are always a few bugs in a new “.0″ release but the team has been very committed. The reporters have received quick patches so they could continue their upgrade. The end result is a 1.1.1 which is a very stable and high quality release.

Upgrade package is available for upgrading from 1.1.0 to 1.1.1. so upgrading is quick and easy.

Foswiki 1.1 introduces jQuery Javascript user interface framework, improved topic history display, new QUERY and FORMAT macros, better user interface for group management, much improved WYSIWYG editor, facelift of the default skin, much improved configure tool, and many more enhancements.

Foswiki 1.1 has many improvements that end-users as well as administrators will appreciate. In addition Foswiki 1.1 comes with a lot of “under the hood” improvements to the core code, with the goal of making it easier to plug in work from other projects, such as jQuery, KinoSearch, Solr and others. Work has been made to improve the definition of internal APIs to allow other not-yet-written modules, such as store implementations. Most of these modifications should be invisible to the end user and admin, but are important to position Foswiki for the next generation of plugins.

What’s new – highlights:

• Adoption of the jQuery Javascript user interface framework
• New macros enabled by jQuery
• Powerful new QUERY macro
• SEARCH now has a zeroresults format string and search results pagination
• New FORMAT macro
• WikiGroups have add & remove user interface
• TinyMCEPlugin updates include much better user interface, rowspan support, and autosave feature
• Testing configuration variables in %IF
• “Copy topic” now copies attachments
• Tailoring of user registration made easier
• Easy tailoring of reset/change password and change email forms
• TMPL:DEFs may now access previous (overridden) TMPL:DEF using the new %TMPL:PREV% template token
• Logging of access failures
• configure user interface revamped
• Configure file system checks added
• Newer modern Icon set for Document Graphics
• Table Plugin has been improved
• SlideShowPlugin can now use CSS based templates
• HistoryPlugin and CompareRevisionsAddOn are now included with the default plugin set giving much nicer history/changes features
• AutoViewTemplatePlugin is now included with the default plugin set
• ZonePlugin feature set has been merged to the core Foswiki code
• New page cache feature
• Several API Enhancements for extension writers

Bugs can be reported on http://foswiki.org/Tasks/CreateNewTask

It is a proud release manager that know that you will all enjoy the 1.1.1

Kenneth Lavrsen

klavrsen Release 1.1.x, Development, features, foswiki, Release

Release of Foswiki version 1.0.10 – 08 Sep 2010

On behalf of the entire Foswiki community I can proudly announce the 
release of the Foswiki patch release 1.0.10 

Foswiki 1.0.10 is available for download at

* Foswiki web site: http://foswiki.org/Download

Foswiki 1.0.10 was built 08 Sep 2010. It is a patch release with more 
than 410 bug fixes relative to 1.0.0.

If you already run Foswiki 1.0.9 and you do not have any severe issues 
with it, you are recommended to stay with 1.0.9 and wait for Foswiki 
1.1.0 which we plan to release in October. We are going beta within a 
few days. Foswiki 1.1.0 is an exciting new release that you can all look 
forward to with some significant enhancements for both end users and 
application developers.

The reason for releasing 1.0.10 now is mainly that people installing 
Foswiki for the first time on Perl 5.12 are having severe issues with 
the installation. Foswiki 1.0.10 does not have any important 
enhancements compared to 1.0.9. Read the 1.0.10 release notes which are 
available at …

* http://foswiki.org/System/ReleaseNotes01×00

.. and review if an upgrade is desired

The regular version (Foswiki-1.0.10…) is the full version with all 
files. The upgrade version (Foswiki-upgrade-1.0.10…) contains the full 
file package except the files that you will typical have tailored in 
your installation and do not want overwritten when you upgrade. The 
upgrade package will upgrade any version from 1.0.0 or later to 1.0.10 
simply by copying all the files in the upgrade package on top of the 
existing 1.0.X. The exact steps are described on the download page. If 
you are at 1.0.0 there is no need to upgrade to 1.0.4 through 1.0.9 first.

Also note that many plugins and other extensions are being released or 
updated every week. Follow the Extensions News at where important news 
about extensions releases are announced.

* http://foswiki.org/Extensions/ExtensionNews

The number of subversion code check-ins near 9000 now and still more 
developers join the project.

As release manager on the project I want to say a sincere thank you to 
all the many that have worked hard on this release happen. A special 
thank you to those that tested the release candidate. Remember that you 
can upgrade also the release candidate using the upgrade package.

You should also both when you download and install Foswiki and regularly 
visit http://foswiki.org/Support/KnownIssuesOfFoswiki01×00 where we will 
list the more annoying bugs that have been found and most often you will 
find an immediate solution that you can apply.

We will be many developers that are ready to help you with the 
installation of (or upgrade to) Foswiki on the IRC channel #foswiki on 
the freenode.org network.

The special installer and virtual machine versions of Foswiki will be 
updated to 1.0.10 version within the next days. Keep an eye on the 
download page if you use one of these versions.

On behalf of the Foswiki Association and the entire Foswiki Community: 
Enjoy the Foswiki 1.0.10

Kenneth Lavrsen 
Release manager

See the whole discussion on Nabble.

klavrsen Release community, Development, foswiki, kennethlavrsen, Release

The Foswiki community summit last year was a big success. A lot of participants founded an association and had a lot of fun. Some of them talked to me on the camera. Hear and see what they had to say about foswiki:

mseibert Promo andreulrich, community, crawford currie, eugenmayer, foswiki, kennethlavrsen, Support

Release of Foswiki version 1.0.9, 17 Jan 2010

On behalf of the entire Foswiki community I can proudly announce the
release of the Foswiki patch release 1.0.9

Foswiki 1.0.9 is available for download from foswiki.org/Download/

Foswiki 1.0.9 was built 17 Jan 2010. It is a patch release with more
than 320 bug fixes relative to 1.0.0 and many small enhancements. This
release fixes many bugs in the Wysiwyg editor, bugs related to more
advanced wiki applications and bugs in the Plugin API. It contains
several bug fixes and enhancements related to security and spam fighting.

It is highly recommended to upgrade your Foswiki to 1.0.9.

The regular version (Foswiki-1.0.9…) is the full version with all
files. The upgrade version (Foswiki-upgrade-1.0.9…) contains the full
file package except the files that you will typical have tailored in
your installation and do not want overwritten when you upgrade. The
upgrade package will upgrade any version from 1.0.0 or later to 1.0.9
simply by copying all the files in the upgrade package on top of the
existing 1.0.X. The exact steps are described on the download page. If
you are at 1.0.0 there is no need to upgrade to 1.0.4 through 1.0.8 first.

Also note that many plugins and other extensions are being released or
updated every week. Follow the Extensions News at where important news
about extensions releases are announced.

foswiki.org/Extensions/ExtensionNews

The number of subversion code check-ins is over 6000 now and still more
developers join the project.

As release manager on the project I want to say a sincere thank you to
all the many that have worked hard on this release happen. A special
thank you to those that tested the two release candidates. Remember that
you can upgrade also the release candidates using the upgrade package.

You should also both when you download and install Foswiki and regularly
visit foswiki.org/Support/KnownIssuesOfFoswiki01×00 where we will
list the more annoying bugs that have been found and most often you will
find an immediate solution that you can apply.

We will be many developers that are ready to help you with the
installation of (or upgrade to) Foswiki on the IRC channel #foswiki on
the freenode.org network.

The special installer and virtual machine versions of Foswiki will be
updated to 1.0.9 version within the next days. Keep an eye on the
download page if you use one of these versions.

On behalf of the Foswiki Association and the entire Foswiki Community:
Enjoy the Foswiki 1.0.9

Kenneth Lavrsen
Release manager

Join the conversation also on our nabble-instance.

klavrsen Release community, Development, foswiki, kennethlavrsen, Release