We have an important Security release and minor code fix for 2.6. The release number is 2.6.1.
Security updates: Vulnerability: Forgotten password challenge guessable.
Fixes security issue discovered by Timothy D. Morgan. (Thank you).
Forgotten password challenges were guessable based on users last login and email address. Tokens are now generated based on a HMAC of login time and email address using a salt and secret key specifically for these tokens.
This vulnerability can be fixed by upgrading to 2.6.1. An upgrade is highly recommended.
For users who cannot upgrade (ie. if you are running an early Ushahidi version) you can patch your install with the patch attached to this post:
- Download and unzip (patch file), attached to this alert
- Upload and replace your current files in the folders that correspond to those in the patch.
- Version: 2.6 (and earlier)
Upgrade file for Ushahidi 2.6.1: https://github.com/downloads/ushahidi/Ushahidi_Web/ushahidi_2.6_2.6.1.zip
Full download for Ushahidi 2.6.1: https://github.com/downloads/ushahidi/Ushahidi_Web/Ushahidi_Web-2.6.1.zip
Details on upgrading:
If you are using a version of Ushahidi lower than 2.6, we recommend you upgrade to the latest version to be secure. Please see our wiki for full migration guides. We created a plug-in compatibility chart.
However if you cannot upgrade immediately, there are standalone patches available for Ushahidi 2.4+. In future security patches will be available and tested for the previous 3 releases (Currently 2.4, 2.5, 2.6). Those on older releases must upgrade to a more recent release before applying security patches.
(just the security fix without other changes)
ushahidi_2.6.x_secfix-2012-008.zip md5: 24cf4645c2fdf39b18688542289d89fe
ushahidi_2.5.x_secfix-2012-008.zip md5: 7bb5fa2877e43138e45803696e840f38
ushahidi_2.4.x_secfix-2012-008.zip md5: e6aaaa7e35738b9e5a032eac512612de
Additional fixes to 2.6
These fixes are included in the bundle for 2.6.1. More details on how to migrate to 2.6.1 from 2.6
Some calls to escape HTML could not handle UTF8 characters, this has been corrected.
Map loading issues
GeoJSON used to load maps was failing to render if a deployment had reports without locations, these are now ignored.
Maps on individual reports pages were not loading, the JS error causing this is now fixed.
Openlayers TMS support wasn’t included in 2.6, this has been reinstated to ensure the Cloudmade plugin works.
Fix issues with loading custom form fields on deployments using table prefixes
Fixed PHP errors when signing up for mobile alerts
Fixed “more information” links in the reports listing
Upgrade Day: December 5, 6, 2012
Upgrade Day is here again. We know there are many Ushahidi deployments on older versions. Upgrading alone can be daunting, so we are hosting our 2nd Community-wide Upgrade Day. Join us on Skype to upgrade together.
What we will support in the future
Moving towards 3.0, we will now only support (e.g. security patches) versions higher than 2.4. There have been substantial changes in our software in the last few releases. The most current version is listed on the download site.
- New Features
- Bug Fixes
- More Secure
- If you are an version lower than 2.4, you will be able to use the Auto-upgrader tool.
- More compatible with newer versions
Deployers: Get Help or Be a Helper
We’ve set up the following schedule to match deployers and developers. Please be sure to add your contact information and add us on skype.
Deployers, some of you are masters of the Upgrade. Join us to help your fellow deployers get on the latest version.
Thanks to everyone who identified, tested and provided patches for these issues. Happy upgrading!