[interchange-cvs] interchange - kwalsh modified WHATSNEW-4.9

interchange-cvs at icdevgroup.org interchange-cvs at icdevgroup.org
Sat Apr 17 22:52:48 EDT 2004


User:      kwalsh
Date:      2004-04-18 02:52:48 GMT
Modified:  .        WHATSNEW-4.9
Log:
	* Re-created the missing 5.0.1 entries.

Revision  Changes    Path
1.2       +69 -0     interchange/WHATSNEW-4.9


rev 1.2, prev_rev 1.1
Index: WHATSNEW-4.9
===================================================================
RCS file: /var/cvs/interchange/WHATSNEW-4.9,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- WHATSNEW-4.9	9 Apr 2004 21:19:24 -0000	1.1
+++ WHATSNEW-4.9	18 Apr 2004 02:52:47 -0000	1.2
@@ -6,6 +6,75 @@
 ------------------------------------------------------------------------------
 
 
+Interchange 5.0.1 released 2004-03-29.
+
+Security
+--------
+
+* Plug a security hole which allows an attacker to expose arbitrary variable
+  contents by using an URL like
+  http://shop.example.com/cgi-bin/store/__SQLUSER__.
+
+  All Interchange applications using the standard "missing" special page
+  from the demo catalog or a similar one are vulnerable to this attack.
+  The attacker may learn the SQL access information for your Interchange
+  application and use this information to read and manipulate sensitive
+  data.
+
+* Disallow [ and < in page names when setting MV_PAGE and MV_PREV_PAGE
+  variables.
+
+* Prevent login information from getting re-saved on a session cancel.
+
+* Define a set of CGI keys that we don't want to save to disk, as
+  @Global::HideCGI.
+
+* Don't show sensitive (i.e. @Global::HideCGI) CGI variables in a dump.
+  This allows saving a session to disk for diagnositic purposes in case
+  of order failure.
+
+Core
+----
+
+* Allow [dump no-cgi=1 no-session=1 no-env=1] to finetune dump.
+
+* Tolerate leading whitespace in query in Vend::Form.
+
+Admin
+-----
+
+* Fix bug where affiliate reports don't filter based on that.
+
+* Make reports with no specified end_date work.
+
+* Fix missing relocation variables in Vend::Table::Editor found by Paul
+  Vinciguerra.
+
+Usertags
+--------
+
+* history-scan: Make pageonly=1 option work correctly when there's no
+  History saved in the user's session.
+
+Foundation
+----------
+
+* Remove unmatched </FORM> from cart_display component.
+
+Debian
+------
+
+* Add libhtml-parser-perl to Build-Depends to keep HTML::Entities
+  module out of the package (Closes: #224435, thanks to Henrik Holmboe
+  <elements at hack.se> for the bug report)
+
+* Switch to gettext-based debconf templates (Closes: #235494, thanks to
+  Martin Quinson <Martin.Quinson at tuxfamily.org> for the patch)
+
+
+------------------------------------------------------------------------------
+
+
 Interchange 5.0.0 released 2003-12-15.
 
 Core








More information about the interchange-cvs mailing list