We have an important Security release and minor code fix for 2.6. The release number is 2.6.1.
Security updates: Vulnerability: Forgotten password challenge guessable.
Fixes security issue discovered by Timothy D. Morgan. (Thank you). Forgotten password challenges were guessable based on users last login and email address. Tokens are now generated based on a HMAC of login time and email address using a salt and secret key specifically for these tokens. Instructions: This vulnerability can be fixed by upgrading to 2.6.1. An upgrade is highly recommended. For users who cannot upgrade (ie. if you are running an early Ushahidi version) you can patch your install with the patch attached to this post:- Download and unzip (patch file), attached to this alert
- Upload and replace your current files in the folders that correspond to those in the patch.
- Version: 2.6 (and earlier)
Standalone patches
(just the security fix without other changes) ushahidi_2.6.x_secfix-2012-008.zip md5: 24cf4645c2fdf39b18688542289d89fe ushahidi_2.5.x_secfix-2012-008.zip md5: 7bb5fa2877e43138e45803696e840f38 ushahidi_2.4.x_secfix-2012-008.zip md5: e6aaaa7e35738b9e5a032eac512612deAdditional fixes to 2.6
These fixes are included in the bundle for 2.6.1. More details on how to migrate to 2.6.1 from 2.6 UTF8 Fixes Some calls to escape HTML could not handle UTF8 characters, this has been corrected. Map loading issues GeoJSON used to load maps was failing to render if a deployment had reports without locations, these are now ignored. Maps on individual reports pages were not loading, the JS error causing this is now fixed. Openlayers TMS support wasn't included in 2.6, this has been reinstated to ensure the Cloudmade plugin works. Custom forms Fix issues with loading custom form fields on deployments using table prefixes Fixed PHP errors when signing up for mobile alerts Fixed "more information" links in the reports listingUpgrade Day: December 5, 6, 2012
Upgrade Day is here again. We know there are many Ushahidi deployments on older versions. Upgrading alone can be daunting, so we are hosting our 2nd Community-wide Upgrade Day. Join us on Skype to upgrade together. What we will support in the future Moving towards 3.0, we will now only support (e.g. security patches) versions higher than 2.4. There have been substantial changes in our software in the last few releases. The most current version is listed on the download site.Why upgrade:
- New Features
- Bug Fixes
- More Secure
- If you are an version lower than 2.4, you will be able to use the Auto-upgrader tool.
- More compatible with newer versions