From Habari Project
We're excited to release Habari 0.6.6 today! This is a minor update to our 0.6.5 release.
We were notified of three potential security vulnerabilities by the High-Tech Bridge security company: a low-risk path disclosure vulnerability (HTB22732) and two potential medium-risk XSS flaws (HTB22731 and HTB22733). While the potential and risk of actual compromise is low, and we are unaware of any instances of these exploits being used in the wild, we are happy to announce that all three exploits are fixed in this new release.
In addition, known bugs in the Habari File Silo have been addressed.
All users of the 0.6.5 release or earlier are encouraged to upgrade to Habari 0.6.6 immediately to avoid any potential security vulnerabilities, no matter how small.
- Under certain conditions the absolute file path could be exposed. Fixed in revisions r4654 to r4662.
- Users were unable to create directories more than one level deeper than /user/files/ in the Habari File Silo. Fixed first in trunk r3623 and merged in r4664.
- Some users were unable to upload the first file to an empty directory in the Habari File Silo. Fixed first in trunk r3553 and now r4665.
As with any piece of software issues and enhancement requests remain. For full details see Habari's change management system.
These release notes were compiled by the Habari Community. Special thanks to meller for the patches, packaging, and release announcements.
Sincere thanks to everyone who has contributed time and energy into continuing to make Habari the success that it is. The Habari community continues to expand, and bring new talent and passion together.