Only December the 2nd and we already have 2 new releases this month! It may seem as we can't get enough releases out the door. But these ones are for your security, so...

It is extremely strongly advised you upgrade!

Download here!

These releases patch the security issue discovered this week in 1.x releases. (If you are running version 0.9.1 or 0.9.2 you are not affected, but it would still be a good idea to upgrade.)

Those versions are codenamed after Anne & Chris who were the first two users reporting the issue. Thanks to both of you as well as to all other users who have helped identifying and fixing this issue in such a short delay.

These versions also include additional security measures, just in case. Sort of having two locks on your door instead of one.

Bonus in version 1.8.6 "Anne": Yearly archives are back. You can display all posts for 2005 with your-blog-url?m=2005

Bonus in version 1.9.1-beta "Chris": a few little bug fixes that make this version less of a beta than 1.9.0

Well, it's been a long time since the last security alert, but every now and then someone finds a security hole and it gets exploited...

This one doesn't affect b2evolution in itself but the Movable Type Importer as shipped with b2evolution since version 1.6. So, in effect, this security issue affects all versions of b2evolution since 1.6. With the latest tests, versions 0.9.x have appeared to be safe.

The good news is that it is very easy to secure your b2evolution installation before it gets hit by an attack: just delete the Movable Type Importer (you don't need it. It is only used *during* the import if you have migrated from MT to b2evo).

In b2evo versions 1.x, delete this file from your server:
/blogs/inc/CONTROL/imports/import-mt.php

In b2evo versions 0.9.x, you don't need to do anything, you're not affected by this issue. Your version is aging though, and you should consider upgrading as soon as we release 1.8.6.

Older versions: you are not affected by this issue, however your version is so old that you may be affected by other issues. It is strongly advised to upgrade.

We'll release a fixed version of b2evo later tonight.

Last week, at PHP Forum Paris 2005, Rasmus Lerdorf (the father of PHP if you don't know) showcased "Scanmus", a tool he's been developping internally at Yahoo in order to detect any severe security holes in PHP applications.

Of course, I took the opportunity to submit b2evolution as a candidate for the scanner to try all its evil tricks on!

While I was a little bit worried, since I submitted the not-yet-perfect Phoenix release, the results are pretty comforting about the overall security level provided by b2evolution.

Actually, the only issue detected by the scanner, as explained by Rasmus, is due to the demo server running an older version of PHP. Moreover it impacts PHP sessions, which b2evolution does not actually use (we'll turn them off on the demo server as well).

Of course, the test cannot be considered definitive, but still, if you compare b2evo's results with average results, you should get an idea about how much work and effort we've been putting into b2evo lately.

If you're interested, you can watch the video! Well, you will see no more than the screen from the picture above (except it moves a little), you won't even see Rasmus on screen, but you'll hear him commenting!

My favorite quote: [Looking at the vulnerability report] "...nothing else?... That's disappointing! "

Please save our bandwidth and only load the video if you're geeky enough to watch it though it's far from good quality video!

• Windows Media 320*200: 4 MB (Highly recommended)
• MPEG 4 320*200: 15 MB (Insanely large, no quality improvement... but it can play on the iPod video as well as other non Windows boxes )

Yope, that's right, they did it again!

The previous XML-RPC fix may not be secure enough, so...

It is highly recommended you fix you installation by downloading this NEW patch file and unzipping it into you /blogs/b2evocore/ folder. This should overwrite the two following files AGAIN:

• _functions_xmlrpc.php
• _functions_xmlrpcs.php

This patch has been tested on the latest 0.9.0.12 "Amsterdam" release but is believed to work on all 0.9.0.x versions.

The patch will be included in future releases.

A critical security issue has been discovered in the XML-RPC for PHP that most applications use, including b2evolution.

It is highly recommended you fix you installation by downloading this patch file and unzipping it into you /blogs/b2evocore/ folder. This should overwrite the two following files:

• _functions_xmlrpc.php
• _functions_xmlrpcs.php

This patch has been tested on the latest 0.9.0.12 "Amsterdam" release but is believed to work on all 0.9.0.x versions.

The patch will be included in future releases.

A moderately critical security advisory has been posted here: http://secunia.com/advisories/13718/

Methods to fix this issue are described here: http://forums.b2evolution.net/viewtopic.php?t=2695

We are encouraging all b2evo users to update their installation.

At b2evolution's, one of our main concerns is security. While we constantly keep securing the legacy b2 codebase while developing new versions, we felt it was appropriate to release a security upgrade for our latest stable release (0.8.2).


We are pleased to announce availablility of version 0.8.2.2.


b2evolution 0.8.2.2 is a maintainance release intended to fix security issues discovered after release of version 0.8.2.


This release includes some fixes against XSS and SQL injection vulnerabilities.


All b2 users up to 0.8.2 are encouraged to upgrade their installation. These vulnerabilities most likely also affect other b2 forks but we have not checked them yet.


Vulnerabilities were also fixed in user-customizable skins, so users will need to reflect the changes to their own skins. Contributed skins on evoSkins.org may have the same vulnerabilities, but we have not investigated them yet.


Acknowledgements:

• Some XSS vulnerabilities were found and reported by office
• This release was compiled and brought to you by Sakichan.