Slashcode

The "security issue" described on the morning of Dec. 15th is actually two separate and unrelated cross-site scripting (XSS) bugs. We're disclosing all of what we know about them at this point to allow site admins to patch sites which cannot reasonably be upgraded to the latest, fixed version of the code, the Dec. 8th build R_2_5_0_41.

Both of these issues were found by Michael Krax who we understand will be publishing something about them shortly. Again, we thank Mr. Krax for responsibly reporting these issues to us and letting us give administrators running Slash time to upgrade their code.

The first security bug was introduced to Slash in May 2002. The second was introduced in October 2004. Both have been fixed in CVS since Dec. 8, 2004. Neither is present in our last official release, version 2.2.6.

We've gotten a couple of questions about whether there will be a workaround for site admins who don't want to upgrade into x_2_5_* CVS but who don't want to just wait until the patch comes out next week.

For security reasons, we don't want to reveal too much of what's going on until everyone has had a chance to upgrade, but we will say that you can temporarily make your site immune to the vulnerability by removing the symlinks to search.pl and submit.pl.

There has been a security issue in CVS Slash code for the last couple of years which was found recently. This is something that site administrators should be concerned about.

We are urging all sites which are using a version of the code from CVS to upgrade now to the CVS tag R_2_5_0_41. Sites which are using the 2.2.6 tarball, the latest official release, do not need to upgrade (the issue is not present there).

Those of you following CVS closely: don't do incautious updates in the near future. We're going to be committing a large chunk of code all at once, very soon now, and we guarantee it will break your site if you install it. Bear with us while we get everything up to speed. In a couple of weeks everything will be humming along smoothly.

(We're overhauling the section and topic system, replacing it with something more flexible.)

Last night we sprinkled a trace amount of holy penguin pee on the CVS tag T_2_3_0_151 and pronounced it to also be our latest R_ tag, R_2_3_0_151. This is the latest R_ tag since _113, which was many weeks ago. (If you missed the memo, "T" is for testing and "R" is for releases. We still haven't dubbed anything "Slash 2.3.0" yet, but that's mostly because we're lazy.)

We feel pretty good about the stability of _151, it's been running on Slashdot for a couple of weeks and there are no real problems.

The big change, committed shortly after _151, is the switch from users.pl to login.pl for authentication and related operations. That seems to be working but it hasn't been tested enough to merit an R_ yet. In fact, this may be the last R_ tag that we do for a while, since there are big changes that will be committed in the weeks to come which will put the damper on R'ing.

Here's the CVS tree if you want to browse, and here are the instructions to download:

$ cvs -d:pserver:anonymous@cvs.sourceforge.net:/cvsroot/  slashcode login
CVS password: (hit return, there is no password)
$ cvs -d:pserver:anonymous@cvs.sourceforge.net:/cvsroot/  slashcode co slash
(much activity)
$ cd slash
$ cvs update -r R_2_3_0_151 -dP