Upgrade Day, Security Release and Code fix 2.6.1

We have an important Security release and minor code fix for 2.6. The release number is 2.6.1.

Security updates: Vulnerability: Forgotten password challenge guessable.

Fixes security issue discovered by Timothy D. Morgan. (Thank you). Forgotten password challenges were guessable based on users last login and email address. Tokens are now generated based on a HMAC of login time and email address using a salt and secret key specifically for these tokens. Instructions: This vulnerability can be fixed by upgrading to 2.6.1. An upgrade is highly recommended. For users who cannot upgrade (ie. if you are running an early Ushahidi version) you can patch your install with the patch attached to this post:

Download and unzip (patch file), attached to this alert

Upload and replace your current files in the folders that correspond to those in the patch.

Version: 2.6 (and earlier)

Upgrade file for Ushahidi 2.6.1: https://github.com/downloads/ushahidi/Ushahidi\_Web/ushahidi\_2.6\_2.6.1.zip md5: 6a1ef328dce55dfa2218fe81d1269a18 Full download for Ushahidi 2.6.1: https://github.com/downloads/ushahidi/Ushahidi\_Web/Ushahidi\_Web-2.6.1.zip md5: 75eec9678f04ad9245c1b267bca55980 Details on upgrading: If you are using a version of Ushahidi lower than 2.6, we recommend you upgrade to the latest version to be secure. Please see our wiki for full migration guides. We created a plug-in compatibility chart. However if you cannot upgrade immediately, there are standalone patches available for Ushahidi 2.4+. In future security patches will be available and tested for the previous 3 releases (Currently 2.4, 2.5, 2.6). Those on older releases must upgrade to a more recent release before applying security patches.

Standalone patches

(just the security fix without other changes) ushahidi_2.6.x_secfix-2012-008.zip md5: 24cf4645c2fdf39b18688542289d89fe ushahidi_2.5.x_secfix-2012-008.zip md5: 7bb5fa2877e43138e45803696e840f38 ushahidi_2.4.x_secfix-2012-008.zip md5: e6aaaa7e35738b9e5a032eac512612de

Additional fixes to 2.6

These fixes are included in the bundle for 2.6.1. More details on how to migrate to 2.6.1 from 2.6 UTF8 Fixes Some calls to escape HTML could not handle UTF8 characters, this has been corrected. Map loading issues GeoJSON used to load maps was failing to render if a deployment had reports without locations, these are now ignored. Maps on individual reports pages were not loading, the JS error causing this is now fixed. Openlayers TMS support wasn't included in 2.6, this has been reinstated to ensure the Cloudmade plugin works. Custom forms Fix issues with loading custom form fields on deployments using table prefixes Fixed PHP errors when signing up for mobile alerts Fixed "more information" links in the reports listing

Upgrade Day: December 5, 6, 2012

Upgrade Day is here again. We know there are many Ushahidi deployments on older versions. Upgrading alone can be daunting, so we are hosting our 2nd Community-wide Upgrade Day. Join us on Skype to upgrade together. What we will support in the future Moving towards 3.0, we will now only support (e.g. security patches) versions higher than 2.4. There have been substantial changes in our software in the last few releases. The most current version is listed on the download site.

Why upgrade:

New Features

Bug Fixes

More Secure

If you are an version lower than 2.4, you will be able to use the Auto-upgrader tool.

More compatible with newer versions

Deployers: Get Help or Be a Helper

We've set up the following schedule to match deployers and developers. Please be sure to add your contact information and add us on skype. Deployers, some of you are masters of the Upgrade. Join us to help your fellow deployers get on the latest version. The Sign-up and Schedule **** Thanks to everyone who identified, tested and provided patches for these issues. Happy upgrading!