You are here: Blog » Security

Security

The Foswiki project is very pleased to announce availability of Foswiki 2.1.4.

Everybody is urged to upgrade as this one comes with 31 fixes and also addresses a couple of security related fixes. We thank the many Foswiki users who have taken the time to report issues in our Tasks tracker, and in many cases also suggest fixes. People are welcome to fork Foswiki on Github and contribute fixes using pull requests. We are grateful to everyone who's contributions have made this release possible.

FoswikisLatest 32.png

How to get the release?

Installation instructions

For installation information, see the System Requirements and the Installation Guide. Please report issues in the Task Tracker. We are looking forward to an interesting 2017 in the Foswiki space. There are several feature proposals under review which could be quite transforming for the next major Foswiki release.

Foswiki 2.1.3 ready to download
Recommended release for security fixes

13 Feb 2017 | GeorgeClark | Development, Release, Security

Mostly it's been a quiet year 2016, as Foswiki 2.1.2 has been running very reliably. But while the project has been quiet, much work has been going on preparing for the next release. And here it is, tada: 2.1.3

In fact, everybody is urged to upgrade as this one comes with a few important fixes, not only cleaning up the code, improving performance, but also addressing a couple of security bugs. We have been working together with Intel who performed dynamic site scans to detect common cross-site scripting attacks as well as static scans of the perl and javascript code base itself. A big “Thank You” from the Foswiki Community to Intel who continue to run security audits on a regular base.

We also thank the many Foswiki users who have taken the time to report issues in our Tasks web, and in many cases also suggest fixes. We also welcome users to fork Foswiki on Github and contribute fixes using pull requests. We are grateful to everyone who's contributions have made this release possible.

FoswikisLatest 14.png

How to get the release?

Installation instructions

For installation information, see the System Requirements and the Installation Guide.

Please report issues in the Task Tracker.

We are looking forward to an interesting 2017 in the Foswiki space. There are several feature proposals under review which could be quite transforming for the next major Foswiki release.

Highlights of this release

  • Contains 96 fixes relative to 2.1.0 (42 of which are enhancements)
  • New release of JQuery
  • Fixes several performance issues
  • Fixed a few minor security issues.
  • An updated Virtual Machine has been built, using the latest Ubuntu LTS release.

See ReleaseNotes02x01 for complete release notes.

Release Statistics

  • 272 commits (code changes) since 2.1.2
  • 18 Developers and Translators worked on this release
  • 98 Tasks had commits in this release
  • 7 Security tasks were closed in 2.1.3

Foswiki 2.0.3 is released

16 Nov 2015 | George Clark | Development, Release, Security
Hello Foswiki Community,

We are very pleased to announce that Foswiki 2.0.3 is available for download.

Highlights of this release

  • 17 fixes and 1 enhancement
  • major performance bug fixed in EditRowPlugin and in Foswiki rendering
  • several “Severity 3” security issues fixed, documented in tasks per the Foswiki security process.
  • the Ukrainian translation has been greatly improved.
Read the complete release notes here.

See the Release02x00x03 for complete release notes. See the FoswikiRelease02x00x00 for highlights of the 2.0 release.

Security fixes

Item13796: SpreadSheet CALC/CALCULATE macro can insert unencoded < and >. This fix may require setting changes in topics or Web Preferences.

Translation status

As of this release,
  • Traditional Chinese, Danish, French, German and Italian are >99% complete.
  • Czech is >96% complete.
  • Dutch, Norwegian, Portuguese (Brazil) and Ukrainian are 70-88% complete.
  • Other languages are 60% complete or lower.
Special thanks to all the developers, translators and testers who have worked to make this release possible.

George Clark
Release Manager, Foswiki 2.0

FoswikisLatest 22.png

Hello Foswiki Community,

We are very pleased to announce that Foswiki 2.0.2 is available for download. Nearly 7 years ago, November 19th, 2008, the Foswiki name was announced. Since then, the project has made approximately 22 releases of Foswiki. This release builds upon the collective effort of many developers and sponsors across the 7 year project history. Foswiki 2.0.2 was built on 30 September 2015.

Highlights of this release

  • 65 fixes and 5 enhancements
  • Major performance bug fixed in Query search. Some sites have seen 350% improvement.
  • Several “Severity 3” security issues fixed. Documented in tasks per the Foswiki security process.
  • Configuration wizard added to incorporate manually installed extensions and check for configuration errors from the command line.
See the ReleaseNotes02x00 for complete release notes. See the FoswikiRelease02x00x00 for highlights of the 2.0 release.

For users

Several significant compatibility fixes to the EditRowPlugin make it much more viable as a replacement for the EditTablePlugin

For administrators

Security fixes:
  • Item13741 addresses URLPARAM encoding. Topic review recommended.
  • Item13764 addresses guest commenting. Topic review recommended.
  • Item13739 login and registration field encoding.
  • Item13772 edit script parameter encoding.
Note that access to these tasks is currently restricted to give sites time to update.

The following actions are recommended. These actions are needed to block possible Cross Site Script (XSS) attacks.

  • If your site has enabled Guest commenting (not a default configuration) then after installation of this update, any customized comment templates need to be carefully reviewed. Any instances of encode="off" found in the output templates should be changed to encode="$encodeguest". This fix is available to older releases using the latest CommentPlugin from the Extensions web.
  • After installation of 2.0.2. any topics containing %!URLPARAM% macros should be reviewed. We recommend that any broswer input be entity encoded. %!URLPARAM{"somefield" encode="entity"}%. Foswiki 2.0.2 has enhanced this to permit combinations of encodings. %!URLPARAM{"somefield" encode="quote, entity"}%. The Foswiki 2.0.2 SEARCH macro has a new feature to undo any parameter encoding, So when used with SEARCH, we recommend the following: %!SEARCH{"%!URLPARAM{"somefield" encode="quote, entity"}%" decode="entity"}% Used in this way, it permits searching for literal strings containing any characters without introducing any XSS paths.

Caution: The changes to %URLPARAM macro are not backwards compatible with prior versions of Foswiki. JQueryPlugin (not yet uploaded) and TipsContrib will require patches to Foswiki 1.x and 2.0. to be compatible.

Translation status

As of this release,

  • Traditional Chinese, Danish, French, German and Italian are >99% complete.
  • Czech is >96% complete.
  • Dutch, Norwegian, and Portuguese (Brazil) are 70-88% complete.
  • Other languages are 60% complete or lower.

For more details on translation status, visit the TranslationTeam and Foswiki’s Weblate translation server. Foswiki is now using continuous translation, so contributions at any time are very helpful. The Foswiki community thanks the Translators for their Herculean efforts. If you are interesting in helping with the translation, please contact foswiki-translations@lists.sourceforge.net.

On behalf of the entire Foswiki project community, special thanks and VirtualBeer to everyone who made this new release possible.

George Clark
Release Manager, Foswiki 2.0

Foswiki 1.1.8 released

01 Mar 2013 | Jan Krüger | Release, Security
While it's been quiet in the blog lately, we're back just in time for the latest release in the Foswiki 1.1 series, with a few general improvements but also a fixed security issue. In other words: you don't want to miss the new Foswiki version! It's available right now at http://foswiki.org/Download/FoswikiRelease01x01x08.

Be sure to pay attention to the upgrade instructions there, especially if you're upgrading from Foswiki 1.1.5 or older.

In case you haven't been following the release announcements elsewhere, I've included a brief description of the other releases you may have missed. If you want to know every last detail about all the changes in recent releases, look at the full release notes for the Foswiki 1.1 series.

Highlights of Foswiki 1.1.8 release

Security Release

Release 1.1.8 fixes a Critical Security Vulnerability. All previous releases of Foswiki are vulnerable to a security issue in Locale::Maketext. It is described further in SecurityAlert-CVE-2013-1666.  If your site runs with Internationalization enabled, you should upgrade to this release.
  • For users: 4 bug fixes relative to 1.1.7
  • For administrators: SSL Email works on newer versions of IO::Socket::SSL. (The prior fix in 1.1.7 was incomplete).

Highlights of Foswiki 1.1.7 release

Release 1.1.7 fixes a Critical Security Vulnerability. All previous releases of Foswiki are vulnerable to a security issue in Locale::Maketext. It is described further in SecurityAlert-CVE-2012-6329. A 2nd vulnerability in the Foswiki == macro was also discovered, and is described further in SecurityAlert-CVE-2012-6330 .

For users:

  • 20 bug fixes and 4 improvements relative to 1.1.6
  • WYSIWYG editor improves handling of WikiWord links. Changing the displayed WikiWord also updates the link target.
  • The default font has been restored to the attributes from 1.1.5. This prevents layout differences when upgrading to Foswiki 1.1.7

For administrators:

  • For sites using SSL accelerators and load balancers: A new expert configuration parameter {ForceDefaultUrlHost} can be enabled to force Foswiki to override the user entered URL with the {DefaultUrlHost} setting.
  • SSL Email works again on newer versions of IO::Socket::SSL
  • Pending registration requests now have a separate timer independent from the Session timer.
  • Removed undocumented dependency on updated HTML::TreeBuilder > 4.0

Highlights of Foswiki 1.1.6 release

For users:

  • More than 117 bug fixes and improvements relative to 1.1.5
  • TinyMCE has been updated to release 3.4.9
  • Markup within input fields is no longer rendered
  • The Chili syntax highlighter has been enabled by default

For administrators:

  • Duplicate email checks are applied to pending registrations.
  • Stale pending registrations are removed.
  • Configure makes a backup before saving configuration changes
  • Performance problems with Rename and Log Rotation have been addressed.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License
This page was cached on 23 Sep 2017 - 02:06.