Path

ez.no / developer / news / ez publish security fixes 3.9.1, 3.8.7, 3.7.10 and 3.6.12

eZ Publish security fixes 3.9.1, 3.8.7, 3.7.10 and 3.6.12

Ole Marius Smestad

Wednesday 14 March 2007 7:56:54 pm

The eZ Publish 3.9.1 3.8.7, 3.7.10 and 3.6.12 releases fix security issues of medium severity and include many other bug fixes. Site maintainers who rely on the approval workflow are advised to upgrade as soon as possible.

These releases also mark the end of eZ publish 3.6.x and 3.7.x maintenance.

Approval of pending objects can be forced

Severity: Medium

When defining an approval workflow, you also specify a set of users and groups who are allowed to approve the objects. In previous releases, it was possible for users without sufficient credentials to approve the objects. This security issue cannot be exploited in a default installation, as only Administrator users have the privileges to access the collaboration view. In order to exploit this weakness, the user first needs to be given access to the collaboration module. Usually only users who approve content would need to have access to this module on sites using approval workflows.

A bug in the pdf library may cause memory exhaustion

Severity: Medium

In previous releases, a bug in the pdf library could cause memory loss when handling specially crafted content. This could make the server run out of memory and become completely unresponsive. On servers where PHP's memory_limit setting was configured correctly, this was handled more gracefully as the request would be aborted immediately when the memory limit was reached.

Other important bugs

  • Class translation breaks after some translations
  • 3.9.0 updateclasstranslations.php script failure
  • ezodf and application/octet-stream
  • Include 'doc/features' with distribution
  • [eZ Cluster mode] PHP Warnings in ezphpcreator.php and ezexpiryhandler.php
  • eZ webin's disabling of class editing, template editing, etc

See the changelogs for a complete list of fixed bugs:

eZ Publish 3.6.x and eZ Publish 3.7.x no longer maintained

Our policy is to only support the two last versions of eZ Publish (for instance version 3.7 and 3.8). However, since eZ Publish 3.6 and eZ Publish 3.7 basically have the same functionality (but different requirements regarding PHP version) we decided to make an exception and support eZ Publish 3.6 as long as eZ Publish 3.7 was supported. With the release of eZ Publish 3.9.1, eZ Publish 3.6 and 3.7 are no longer supported and maintained. Users of those versions are encouraged to upgrade to a newer version.

The releases are available for download from our eZ Publish download page.

Article info

Comments disabled