Security release: Omeka 2.2.1

[Patrick Murray-John]

Hello Omekans!

Today, we released Omeka 2.2.1, a security update for Omeka 2.2. All users should upgrade.

This release closes vulnerabilities to cross-site scripting (XSS) and cross-site request forgery (CSRF) on the admin user forms.

An unrelated fix to the API removes dead links to private collections for non-authenticated users.

Thanks to Gjoko Krstic at the Zero Science Lab for finding and reporting the XSS and CSRF vulnerabilities.

Please see the release notes for more detail.

Thanks, and happy building!
Patrick

[Daniel Berthereau]

Hi,

Is Omeka 1.5 affected?

Sincerely,

Daniel Berthereau
Infodoc & Knowledge management

--
You received this message because you are subscribed to the Google Groups "Omeka Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to omeka-dev+...@googlegroups.com.
To post to this group, send email to omek...@googlegroups.com.
Visit this group at http://groups.google.com/group/omeka-dev.
For more options, visit https://groups.google.com/d/optout.

[John Flatness]

The XSS hole was in a page that didn't exist in 1.5, so you're fine there.

The CSRF problem affects all prior versions.

[R Miller]

I think a tool like OWASP ZAP which is free would reveal some continuing XSS vulnerabilities.  I am not sure if any of these would be significant but it would be nice to close what automated penetration testing can find.

r miller