Skip to main content.

Interchange News

  • Marco Pessotto joins Interchange core developer team

    Posted on August 26, 2020 by Jon Jensen

    We are happy to announce that Marco Pessotto recently joined the Interchange core developer team! Marco’s involvement with Interchange dates back to 2013 or earlier. He has contributed several core code commits and worked on many Interchange stores.

    You can find Marco also involved at his web home or working on his CMS/wiki engine/publishing software called amusewiki.

    We look forward to working even more closely with Marco in the future!

  • Admin XSS security vulnerabilities fixed (CVE-2020-12685)

    Posted on May 14, 2020 by Jon Jensen

    The Interchange admin in versions 4.7.0 through 5.11.x (before 2020-05-15) was vulnerable to cross-site scripting (XSS) injection attacks in the help and quicklinks pages.

    Attackers could use browser JavaScript to steal client-side credentials such as a session cookie or delivered page data. The attack type is reflected XSS, active for a single page request via tainted link, not stored in the database or in page files or reusably in the session.

    This was found and reported by Sean Fernandez. Thank you very much! It has been assigned the identifier CVE-2020-12685.

    To resolve the problem, apply the patch from commit 243ab0eea0a, or download the new versions of the 2 corrected files:

    u1=https://raw.githubusercontent.com/interchange/interchange/243ab0eea0ae1d8d8f3e333128349f104b7e04bf
    u2=$u1/dist/lib/UI/pages/admin
    curl --remote-name-all $u2/help.html $u2/quicklinks.html
    

    Then copy them into place in your global admin installation:

    cp help.html quicklinks.html /path/to/interchange/lib/UI/pages/admin/
    

    If you made catalog-local copies to customize those files, you will need to apply the fixes there manually in /path/to/catalog/pages/admin/.

    Restarting the Interchange daemon is not necessary.

    The nightly build now includes the fixes, as will the upcoming 5.12.0 release.

  • Project website refresh

    Posted on April 25, 2020 by Jon Jensen

    This Interchange project website has gotten a refresh to its design and organization, to prepare for the Interchange 5.12 release.

    Zed Jensen and Seth Jensen updated the design with a new logo, home page banner, typeface, and more pleasant design. They also added a list of recent commits from GitHub on the home page to give prominent visibility into code changes.

    I updated the site organization to combine the two separate link menu components to make navigation more consistent, and make more important pages easier to reach. The Interchange history page now includes more key events from recent years, and the Interchange news page once again shows history prior to 2005 that was lost in the last site reimplementation.

    If you run into any problems, please let us know by opening a GitHub issue!

  • Interchange 5.12.0 release candidate 1

    Posted on March 1, 2020 by David Christensen

    The Interchange Development Group is preparing the latest release of Interchange, 5.12.0. As such, we are announcing the initial release candidate. If you are able, please test this release in a non-production environment and provide any additional feedback.

    The changes in this version are extensive, and include multiple years’ worth of development, bug fixes, and improvements. For details on this release, please see the WHATSNEW file for this release.

    Get the rc1 download, detached signature (signed by key id DF9B65B8), which have these SHA-1 sums:

    95719fea81883fa3e15ca4b35b21af2d39d57012  interchange-5.12.0-rc1.tar.gz
    e82705c5f7b8273fb7449c8c0468aa28eeb11d36 interchange-5.12.0-rc1.tar.gz.asc

News archive