If you still haven't upgraded to b2evolution 2.4.5, you can now do it with even less clicks than before if you have installed b2evolution with Fantastico Deluxe.

Fantastico now ships b2evolution 2.4.5 as part of their installer.

Thank you to the sharp folks at SuperGreen Hosting for pointing this out to us.

If your webhost doesn't have the latest Fantastico, feel free to ask them to upgrade. It should be very easy for them.

So I guess now that Fantastico has upgraded we can release version 2.4.6? Just kidding! We are working on version 3.0. Stay tuned! ;)

Only December the 2nd and we already have 2 new releases this month! It may seem as we can't get enough releases out the door. But these ones are for your security, so...

It is extremely strongly advised you upgrade!

Download here!

These releases patch the security issue discovered this week in 1.x releases. (If you are running version 0.9.1 or 0.9.2 you are not affected, but it would still be a good idea to upgrade.)

Those versions are codenamed after Anne & Chris who were the first two users reporting the issue. Thanks to both of you as well as to all other users who have helped identifying and fixing this issue in such a short delay.

These versions also include additional security measures, just in case. Sort of having two locks on your door instead of one.

Bonus in version 1.8.6 "Anne": Yearly archives are back. You can display all posts for 2005 with your-blog-url?m=2005

Bonus in version 1.9.1-beta "Chris": a few little bug fixes that make this version less of a beta than 1.9.0 ;)

Well, it's been a long time since the last security alert, but every now and then someone finds a security hole and it gets exploited...

This one doesn't affect b2evolution in itself but the Movable Type Importer as shipped with b2evolution since version 1.6. So, in effect, this security issue affects all versions of b2evolution since 1.6. With the latest tests, versions 0.9.x have appeared to be safe.

The good news is that it is very easy to secure your b2evolution installation before it gets hit by an attack: just delete the Movable Type Importer (you don't need it. It is only used *during* the import if you have migrated from MT to b2evo).

In b2evo versions 1.x, delete this file from your server:
/blogs/inc/CONTROL/imports/import-mt.php

In b2evo versions 0.9.x, you don't need to do anything, you're not affected by this issue. Your version is aging though, and you should consider upgrading as soon as we release 1.8.6.

Older versions: you are not affected by this issue, however your version is so old that you may be affected by other issues. It is strongly advised to upgrade.

We'll release a fixed version of b2evo later tonight.

Last week, at PHP Forum Paris 2005, Rasmus Lerdorf (the father of PHP if you don't know) showcased "Scanmus", a tool he's been developping internally at Yahoo in order to detect any severe security holes in PHP applications.

Of course, I took the opportunity to submit b2evolution as a candidate for the scanner to try all its evil tricks on!

While I was a little bit worried, since I submitted the not-yet-perfect Phoenix release, the results are pretty comforting about the overall security level provided by b2evolution.

Actually, the only issue detected by the scanner, as explained by Rasmus, is due to the demo server running an older version of PHP. Moreover it impacts PHP sessions, which b2evolution does not actually use (we'll turn them off on the demo server as well).

Of course, the test cannot be considered definitive, but still, if you compare b2evo's results with average results, you should get an idea about how much work and effort we've been putting into b2evo lately.

If you're interested, you can watch the video! Well, you will see no more than the screen from the picture above (except it moves a little), you won't even see Rasmus on screen, but you'll hear him commenting! ;)

My favorite quote: [Looking at the vulnerability report] "...nothing else?... That's disappointing! :>"

Watch on Youtube: https://youtu.be/_g94H14uNAY

Yope, that's right, they did it again! :|

The previous XML-RPC fix may not be secure enough, so...

It is highly recommended you fix you installation by downloading this NEW patch file and unzipping it into you /blogs/b2evocore/ folder. This should overwrite the two following files AGAIN:

• _functions_xmlrpc.php
• _functions_xmlrpcs.php

This patch has been tested on the latest 0.9.0.12 "Amsterdam" release but is believed to work on all 0.9.0.x versions.

The patch will be included in future releases.

A critical security issue has been discovered in the XML-RPC for PHP that most applications use, including b2evolution.

It is highly recommended you fix you installation by downloading this patch file and unzipping it into you /blogs/b2evocore/ folder. This should overwrite the two following files:

• _functions_xmlrpc.php
• _functions_xmlrpcs.php

This patch has been tested on the latest 0.9.0.12 "Amsterdam" release but is believed to work on all 0.9.0.x versions.

The patch will be included in future releases.