Announcing CMS Made Simple 1.1.4.1 - Critical Update
October 7th, 2007 by Ted KulpThe ChangeLog looks a little something like this:
Version 1.1.4.1 "Taga" -- October 07 2007 ----------------- - Fix one issue in adodb_lite that cropped up after release Version 1.1.4 "Taga" -- October 07 2007 ----------------- - Fixes an XSS issue in the anchor tag - Fixes an XSS issue in listtags - Adds a permission check to adduser.php - More fixes for potential security issues with adodb_lite - Added a permission check to view the admin log
Sorry for everyone that got 1.1.4. Sometimes we jump the gun a little bit when there is pressure to get a security release out into everyone’s hands. It’s best that it was on a Sunday (and a holiday in some areas of the world), so hopefully not too many people were affected. If you were, I apologize.
Thanks!
Ted
October 8th, 2007 at 5:09 pm
Ted,
Love your project. Can’t thank you enough for making a great way to manage web sites!
TJ
October 9th, 2007 at 10:48 am
Well, as far as I can remember, it was the same thing with all the past 3 releases. I think that you do not need to rush the releases out, so you can hang out for a minute, take a deep breath and make sure you won’t hate roll out an 1.x.x.1 in a few minutes.
October 9th, 2007 at 10:49 am
Sorry, /hate/have to/s.
October 9th, 2007 at 1:26 pm
I love your project too.
But I really think you should stick to a maximum of 4 updates a year, whatever happens !
October 9th, 2007 at 2:02 pm
I Think it is a good thing to fix bugs as soon as possible. The longer you wait, the more time you give potential abusers time to compromise the security of your website and your webserver. Good job and great project!
October 10th, 2007 at 4:18 pm
Patrick: When somebody finds a security issue would you rather us wait for the next quarter to fix it? Probably not. We jump as fast as possible on security issues, and sometimes we jump too fast and little problems sneak in.
With the upgrade process being as easy as it is (especially if you keep up on the upgrades), I think it’s a better thing to release often, than release rarely.
October 10th, 2007 at 4:32 pm
Crap! I just updated everything from 1.08 to 1.1.3.1. Guess here goes another round of updates.
Any idea if we’ll ever see a way to “share” a codebase so that when I have to update 8-10 CMS installs, I only have to do it once?
Great product… still. And I’ve been a user since the “early” days (Remember, Ted, me and you working to get it working on IIS like 3 years ago?)
October 10th, 2007 at 11:59 pm
I agree Robert, the sooner security related issues are resolved the better.
Keep up the great work!
October 11th, 2007 at 3:05 am
Guys, this might not be the right place for ideas, but as you are fixing insecurities, how about preventing them.
Synopsis:
preventing insecure logins if https is not available
Solution:
javascript based md5
http://pajhome.org.uk/crypt/md5/auth.html
October 11th, 2007 at 11:46 am
I wonder why my comments are still avaiting moderation. Did I say anything offensive or what?
October 14th, 2007 at 12:27 pm
Thank you for releasing these security updates as quickly as you do.
Anyone who thinks the security updates come too often obviously has never been the victim of a security vulnerability that has been exploited.