[interchange-cvs] interchange - kwalsh modified WHATSNEW-4.9
interchange-cvs at icdevgroup.org
interchange-cvs at icdevgroup.org
Sat Apr 17 22:52:48 EDT 2004
User: kwalsh
Date: 2004-04-18 02:52:48 GMT
Modified: . WHATSNEW-4.9
Log:
* Re-created the missing 5.0.1 entries.
Revision Changes Path
1.2 +69 -0 interchange/WHATSNEW-4.9
rev 1.2, prev_rev 1.1
Index: WHATSNEW-4.9
===================================================================
RCS file: /var/cvs/interchange/WHATSNEW-4.9,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- WHATSNEW-4.9 9 Apr 2004 21:19:24 -0000 1.1
+++ WHATSNEW-4.9 18 Apr 2004 02:52:47 -0000 1.2
@@ -6,6 +6,75 @@
------------------------------------------------------------------------------
+Interchange 5.0.1 released 2004-03-29.
+
+Security
+--------
+
+* Plug a security hole which allows an attacker to expose arbitrary variable
+ contents by using an URL like
+ http://shop.example.com/cgi-bin/store/__SQLUSER__.
+
+ All Interchange applications using the standard "missing" special page
+ from the demo catalog or a similar one are vulnerable to this attack.
+ The attacker may learn the SQL access information for your Interchange
+ application and use this information to read and manipulate sensitive
+ data.
+
+* Disallow [ and < in page names when setting MV_PAGE and MV_PREV_PAGE
+ variables.
+
+* Prevent login information from getting re-saved on a session cancel.
+
+* Define a set of CGI keys that we don't want to save to disk, as
+ @Global::HideCGI.
+
+* Don't show sensitive (i.e. @Global::HideCGI) CGI variables in a dump.
+ This allows saving a session to disk for diagnositic purposes in case
+ of order failure.
+
+Core
+----
+
+* Allow [dump no-cgi=1 no-session=1 no-env=1] to finetune dump.
+
+* Tolerate leading whitespace in query in Vend::Form.
+
+Admin
+-----
+
+* Fix bug where affiliate reports don't filter based on that.
+
+* Make reports with no specified end_date work.
+
+* Fix missing relocation variables in Vend::Table::Editor found by Paul
+ Vinciguerra.
+
+Usertags
+--------
+
+* history-scan: Make pageonly=1 option work correctly when there's no
+ History saved in the user's session.
+
+Foundation
+----------
+
+* Remove unmatched </FORM> from cart_display component.
+
+Debian
+------
+
+* Add libhtml-parser-perl to Build-Depends to keep HTML::Entities
+ module out of the package (Closes: #224435, thanks to Henrik Holmboe
+ <elements at hack.se> for the bug report)
+
+* Switch to gettext-based debconf templates (Closes: #235494, thanks to
+ Martin Quinson <Martin.Quinson at tuxfamily.org> for the patch)
+
+
+------------------------------------------------------------------------------
+
+
Interchange 5.0.0 released 2003-12-15.
Core
More information about the interchange-cvs
mailing list