Today, we released Omeka 2.2.1, a security update for Omeka 2.2. All users should upgrade.
This release closes vulnerabilities to cross-site scripting (XSS) and cross-site request forgery (CSRF) on the admin user forms.
An unrelated fix to the API removes dead links to private collections for non-authenticated users.
Thanks to Gjoko Krstic at the Zero Science Lab for finding and reporting the XSS and CSRF vulnerabilities.
Please see the release notes for more detail.
Daniel Berthereau Infodoc & Knowledge management
--
You received this message because you are subscribed to the Google Groups "Omeka Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to omeka-dev+...@googlegroups.com.
To post to this group, send email to omek...@googlegroups.com.
Visit this group at http://groups.google.com/group/omeka-dev.
For more options, visit https://groups.google.com/d/optout.
The XSS hole was in a page that didn't exist in 1.5, so you're fine there.
The CSRF problem affects all prior versions.