If you cannot get logged in, clear your cookies for foswiki.org and retry. The Foswiki Cookie Domain has been changed.
You are here: Blog » Security

Security

Foswiki 2.1.3 ready to download
Recommended release for security fixes

13 Feb 2017 | GeorgeClark | Development, Release, Security

Mostly it's been a quiet year 2016, as Foswiki 2.1.2 has been running very reliably. But while the project has been quiet, much work has been going on preparing for the next release. And here it is, tada: 2.1.3

In fact, everybody is urged to upgrade as this one comes with a few important fixes, not only cleaning up the code, improving performance, but also addressing a couple of security bugs. We have been working together with Intel who performed dynamic site scans to detect common cross-site scripting attacks as well as static scans of the perl and javascript code base itself. A big “Thank You” from the Foswiki Community to Intel who continue to run security audits on a regular base.

We also thank the many Foswiki users who have taken the time to report issues in our Tasks web, and in many cases also suggest fixes. We also welcome users to fork Foswiki on Github and contribute fixes using pull requests. We are grateful to everyone who's contributions have made this release possible.

FoswikisLatest 14.png

How to get the release?

Installation instructions

For installation information, see the System Requirements and the Installation Guide.

Please report issues in the Task Tracker.

We are looking forward to an interesting 2017 in the Foswiki space. There are several feature proposals under review which could be quite transforming for the next major Foswiki release.

Highlights of this release

  • Contains 96 fixes relative to 2.1.0 (42 of which are enhancements)
  • New release of JQuery
  • Fixes several performance issues
  • Fixed a few minor security issues.
  • An updated Virtual Machine has been built, using the latest Ubuntu LTS release.

See ReleaseNotes02x01 for complete release notes.

Release Statistics

  • 272 commits (code changes) since 2.1.2
  • 18 Developers and Translators worked on this release
  • 98 Tasks had commits in this release
  • 7 Security tasks were closed in 2.1.3

Foswiki 2.0.3 is released

16 Nov 2015 | George Clark | Development, Release, Security
Hello Foswiki Community,

We are very pleased to announce that Foswiki 2.0.3 is available for download.

Highlights of this release

  • 17 fixes and 1 enhancement
  • major performance bug fixed in EditRowPlugin and in Foswiki rendering
  • several “Severity 3” security issues fixed, documented in tasks per the Foswiki security process.
  • the Ukrainian translation has been greatly improved.
Read the complete release notes here.

See the Release02x00x03 for complete release notes. See the FoswikiRelease02x00x00 for highlights of the 2.0 release.

Security fixes

Item13796: SpreadSheet CALC/CALCULATE macro can insert unencoded < and >. This fix may require setting changes in topics or Web Preferences.

Translation status

As of this release,
  • Traditional Chinese, Danish, French, German and Italian are >99% complete.
  • Czech is >96% complete.
  • Dutch, Norwegian, Portuguese (Brazil) and Ukrainian are 70-88% complete.
  • Other languages are 60% complete or lower.
Special thanks to all the developers, translators and testers who have worked to make this release possible.

George Clark
Release Manager, Foswiki 2.0

FoswikisLatest 22.png

Hello Foswiki Community,

We are very pleased to announce that Foswiki 2.0.2 is available for download. Nearly 7 years ago, November 19th, 2008, the Foswiki name was announced. Since then, the project has made approximately 22 releases of Foswiki. This release builds upon the collective effort of many developers and sponsors across the 7 year project history. Foswiki 2.0.2 was built on 30 September 2015.

Highlights of this release

  • 65 fixes and 5 enhancements
  • Major performance bug fixed in Query search. Some sites have seen 350% improvement.
  • Several “Severity 3” security issues fixed. Documented in tasks per the Foswiki security process.
  • Configuration wizard added to incorporate manually installed extensions and check for configuration errors from the command line.
See the ReleaseNotes02x00 for complete release notes. See the FoswikiRelease02x00x00 for highlights of the 2.0 release.

For users

Several significant compatibility fixes to the EditRowPlugin make it much more viable as a replacement for the EditTablePlugin

For administrators

Security fixes:
  • Item13741 addresses URLPARAM encoding. Topic review recommended.
  • Item13764 addresses guest commenting. Topic review recommended.
  • Item13739 login and registration field encoding.
  • Item13772 edit script parameter encoding.
Note that access to these tasks is currently restricted to give sites time to update.

The following actions are recommended. These actions are needed to block possible Cross Site Script (XSS) attacks.

  • If your site has enabled Guest commenting (not a default configuration) then after installation of this update, any customized comment templates need to be carefully reviewed. Any instances of encode="off" found in the output templates should be changed to encode="$encodeguest". This fix is available to older releases using the latest CommentPlugin from the Extensions web.
  • After installation of 2.0.2. any topics containing %!URLPARAM% macros should be reviewed. We recommend that any broswer input be entity encoded. %!URLPARAM{"somefield" encode="entity"}%. Foswiki 2.0.2 has enhanced this to permit combinations of encodings. %!URLPARAM{"somefield" encode="quote, entity"}%. The Foswiki 2.0.2 SEARCH macro has a new feature to undo any parameter encoding, So when used with SEARCH, we recommend the following: %!SEARCH{"%!URLPARAM{"somefield" encode="quote, entity"}%" decode="entity"}% Used in this way, it permits searching for literal strings containing any characters without introducing any XSS paths.

Caution: The changes to %URLPARAM macro are not backwards compatible with prior versions of Foswiki. JQueryPlugin (not yet uploaded) and TipsContrib will require patches to Foswiki 1.x and 2.0. to be compatible.

Translation status

As of this release,

  • Traditional Chinese, Danish, French, German and Italian are >99% complete.
  • Czech is >96% complete.
  • Dutch, Norwegian, and Portuguese (Brazil) are 70-88% complete.
  • Other languages are 60% complete or lower.

For more details on translation status, visit the TranslationTeam and Foswiki’s Weblate translation server. Foswiki is now using continuous translation, so contributions at any time are very helpful. The Foswiki community thanks the Translators for their Herculean efforts. If you are interesting in helping with the translation, please contact foswiki-translations@lists.sourceforge.net.

On behalf of the entire Foswiki project community, special thanks and VirtualBeer to everyone who made this new release possible.

George Clark
Release Manager, Foswiki 2.0

Foswiki 1.1.8 released

01 Mar 2013 | Jan Krüger | Release, Security
While it's been quiet in the blog lately, we're back just in time for the latest release in the Foswiki 1.1 series, with a few general improvements but also a fixed security issue. In other words: you don't want to miss the new Foswiki version! It's available right now at http://foswiki.org/Download/FoswikiRelease01x01x08.

Be sure to pay attention to the upgrade instructions there, especially if you're upgrading from Foswiki 1.1.5 or older.

In case you haven't been following the release announcements elsewhere, I've included a brief description of the other releases you may have missed. If you want to know every last detail about all the changes in recent releases, look at the full release notes for the Foswiki 1.1 series.

Highlights of Foswiki 1.1.8 release

Security Release

Release 1.1.8 fixes a Critical Security Vulnerability. All previous releases of Foswiki are vulnerable to a security issue in Locale::Maketext. It is described further in SecurityAlert-CVE-2013-1666.  If your site runs with Internationalization enabled, you should upgrade to this release.
  • For users: 4 bug fixes relative to 1.1.7
  • For administrators: SSL Email works on newer versions of IO::Socket::SSL. (The prior fix in 1.1.7 was incomplete).

Highlights of Foswiki 1.1.7 release

Release 1.1.7 fixes a Critical Security Vulnerability. All previous releases of Foswiki are vulnerable to a security issue in Locale::Maketext. It is described further in SecurityAlert-CVE-2012-6329. A 2nd vulnerability in the Foswiki == macro was also discovered, and is described further in SecurityAlert-CVE-2012-6330 .

For users:

  • 20 bug fixes and 4 improvements relative to 1.1.6
  • WYSIWYG editor improves handling of WikiWord links. Changing the displayed WikiWord also updates the link target.
  • The default font has been restored to the attributes from 1.1.5. This prevents layout differences when upgrading to Foswiki 1.1.7

For administrators:

  • For sites using SSL accelerators and load balancers: A new expert configuration parameter {ForceDefaultUrlHost} can be enabled to force Foswiki to override the user entered URL with the {DefaultUrlHost} setting.
  • SSL Email works again on newer versions of IO::Socket::SSL
  • Pending registration requests now have a separate timer independent from the Session timer.
  • Removed undocumented dependency on updated HTML::TreeBuilder > 4.0

Highlights of Foswiki 1.1.6 release

For users:

  • More than 117 bug fixes and improvements relative to 1.1.5
  • TinyMCE has been updated to release 3.4.9
  • Markup within input fields is no longer rendered
  • The Chili syntax highlighter has been enabled by default

For administrators:

  • Duplicate email checks are applied to pending registrations.
  • Stale pending registrations are removed.
  • Configure makes a backup before saving configuration changes
  • Performance problems with Rename and Log Rotation have been addressed.

The Foswiki project has just been through one of the rare situations where one of our users discover a serious security issue in our software.

It was one of those moments where many developers were thinking: "Why didn't I see this?". Many of us felt embarrassed.

It is a fact of life that when you have humans developing technology, things can and will go wrong. You can do a lot of minimize the risk, and the Foswiki project has conducted serious security reviews on the extensive rewrite of our code that took place from 1.0 to 1.1. And we have found and fixed issues before we even got close to releasing any code to the public, and the Foswiki project has had am impressive security record.

But the 1.1.0 release we missed a small issue where one code line had been moved down a few lines too many and we ended up not authenticating the user properly in a specific situation.

This could be a sad story but it isn't. This situation showed what difference it makes to have a large and strong community behind an open source project.

First I want to give the timeline of what the events on the 9th and 10th of November.
  • 09 Nov 2010 a little before noon CET a user asks a very good question on the Foswiki support web. He could not understand what he did wrong in setting up access rights because no matter how he did it, he was able to edit and save preferences in topics he did not have access rights to.
  • Within a few hours a Foswiki developer read the support question. And to his horror the report was correct. The minute he realized the nature of the problem the support question was changed so it could only be viewed by the reporter and the Foswiki Security Task Team
  • The next few hours the Foswiki security mailing list, which only the security team has access to, is glowing with emails. Five hours after the issue was reported a code fix has been made and tested by the security team members. The time is now near 18:00.
  • At 18:00 I become aware of the situation and the security team quickly assess the issue and conclude that it is a security level 2 issue. This means that we have a goal to respond within 48 hours and will provide a fix and a security alert which will be provided to the people that subscribe to our low traffic announcement mailing list.
  • It is decided that we will release a 1.1.2 as fast as we possibly can. We assess which urgent bugs we want to include in addition to the security fix.
  • The next 8 hours are amazing. Many members of the security team works all night fixing and testing a short list of important bugs. A test of a new version of the Wysiwyg editor is conducted and merged in. Code is checked in and reviewed and tested at a rapid pace. Code is even thrown out again because it was decided to be too risky. Additional developers are pulled into the IRC channel we have created for the event to get the last review on code fixes.
  • At 19:30 I request a CVE number from MITRE. And they are fantastic at MITRE. We have the number already 20:00.
  • At 23:00 the security announcement and response plan is written and is being reviewed and agreed by the security team.
  • At 02:00 the 10 Nov 2010 the 1.1.2 release is built and uploaded to our servers for download.
  • At 02:30 the release announcement is sent to the Foswiki announcement mailing list
  • At 02:35 the security announcement is sent to the Foswiki announcement mailing list
So we actually managed to react, assess, fix, finish a release, build release, and announce within 14 hours.

As I write this, I have just sent the the security announcement to the public security sites (48 hours after we did the announcement on the Foswiki mailing lists).

When I think back now on what happened I feel proud.
Proud that we managed to act like professionels even though we all work as volunteers on the project.
Proud because I am part of such a strong development team that care about the security of our users, and care about each other.
Proud because as a release manager located in Denmark I had people in USA, Mexico, Germany, France, UK, Australia, Netherlands being available helping, testing, coding, reviewing, and encouraging. I had a team backing me up getting the release out and getting the announcements out.

It shows the power of open source projects when they are supported by a committed and dedicated community.

Kenneth Lavrsen

Foswiki Release Manager
Leader of the Foswiki Security Task Team
Member of the board of the Foswiki Association

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License
This page was cached on 30 Mar 2017 - 02:39.