From Habari Project
We're excited to release Habari 0.6.5 today! This is a minor update to our 0.6.4 release.
A very minor security-related issue was discovered this week that allowed an attacker to reset the password of any user_id he was able to guess, triggering a reset email to the affected user. While we're unaware of any instances of this occurring in the wild and at no time was the attacker able to obtain the user's password, we've made a simple fix and packaged up the 0.6.5 release.
All users of the 0.6.4 release or earlier are encouraged to upgrade to Habari 0.6.5 immediately to avoid this inconvenience.
- r4579 Add a check to make sure the hash we're handed is a valid string before we try to MD5 it. This prevents you from being able to hand Habari a URL with an invalid hash argument that would trigger an error and allow random password resets.
As with any piece of software issues and enhancement requests remain. For full details see Habari's change management system.
These release notes were compiled by the Habari Community. Special thanks to meller for the patches, packaging, and release announcements. Thanks also to all the users helping with additional translations.
Sincere thanks to everyone who has contributed time and energy into continuing to make Habari the success that it is. The Habari community continues to expand, and bring new talent and passion together.