As communicated in our last platform release, we are adopting a monthly release cycle. Today we are happy to announce v2.3 of the platform which is mainly a follow up of Juba. It is mainly a bug-fix release and some of these are outlined below:
- Cleaned up database Schema – There have been some redundant fields in some of the tables which this release has addressed. In addition proper documentation of the schema has been done, see more on here.
- Improvements on the installer – This includes the introduction of an admin login email configuration, hiding of admin password once installation is complete and finally few fixes on the .htaccess file.
- Editing in the Dashboard: Added HTML editing and more attributes to the page editor.
While this is mainly a bug release, we sneaked in a few features. This includes functionality like ability to pull geo-data from tweets if it exists and save with the message/tweet.
Early this month, our team traveled to the Redlands and worked very closely with ESRI to look at ways we could work together for the benefit of our communities. Some of the results of the hackathon are included in this release. More will be announced in due course as they are completed.
We added ESRI base layers to increase the default map options for deployers. This is available only for the downloadable version of the Ushahidi platform, we are working on testing and providing the option on Crowdmap.com hosted deployments in several weeks.
IMPORTANT SECURITY UPDATE
Finally, there were some security vulnerabilities reported which involved Cross Site Request Forgery (CSRF) and Cross Site Scripting (XSS). In our investigation, we found that the patch had been completed but had not been added to download.ushahidi.com. These changes have been incorporated. Please update your deployments.
On April 13, 2012, Exploit DB reported two security vulnerabilities with the Ushahidi web application. The two issues discovered were Cross-site Request Forgery and the Cross-site Scripting. In our investigation, we found that the patch had been completed but had not been added to download.ushahidi.com. These changes have been incorporated. Please update your deployments.
Advisory ID: SA-WEB-2012-003
Security Risk: Critical
Vulnerability: CSRF and XSS
Patch your installation with the contents of this file (patch_2.2.1.zip).
- Unzip patch_2.2.1
- The files to change are stored in the conventional Kohana folder structure.
- Upload and replace your current files in the folders that correspond to those in the patch.
(Crowdmap has been updated to include the security patch. Features noted above for the Ushahidi platform will be added to Crowdmap at a later date.)
Special shout outs to ESRI, Robert Buckley, Nigel McNie, shpendk, and the Ushahidi developer community for making this release happen. Thank you for your help in testing, bug reports and pull requests.