ocPortal

8 RC3 released. Read the full article for a list of changes, and upgrade information.

8 RC2 released. Read the full article for a list of changes, and upgrade information.

8 RC1 released. Read the full article for a list of changes, and upgrade information.

Today a number of email notifications went out from ocPortal.com, to some unintended recipients.There is no security issue here, but we do take it very seriously if people receive e-mails they didn't sign up to. At the very least it's embarrassing to ... [More] have our own system go haywire.Please accept our apologies for those who received the unintended emails.Those affected are users with relatively low member IDs. [Less]

We have just released ocPortal 7.1.6, primarily to get out some very important security fixes to ocPortal.In the last few weeks two security research organisations have discovered some security holes and detailed them to us. They gave us a reasonable ... [More] period of time to fix the problems, hence this release prior to the wider public disclosure of the vulnerabilities. Action required We recommend users upgrade to 7.1.6, which will resolve all these issues at once, and also update on a number of other compatibility issues that have recently come up (PHP 5.4, PayPal changes, Google Chrome bug).Vulnerabilities have been found in:The code editor and config editorThe catalogues systemThe core system, how redirects are handled (two different attack patterns)If users are on a heavily customised version and cannot upgrade to a new patch release, changes may be made manually. A patch is attached illustrating the changes. Users who need to update manually and don't have experience with patch files should open a support ticket. Attachment » Download: ocportal-security-release.patch (12 Kb, 11 downloads so far) Future policy We have had a policy of not identifying vulnerabilities in ocPortal to this point, to avoid alerting hackers where they might concentrate attention. Rather, we have promptly released a new version whenever any issue has been found and recommended people upgrade to it.The problem with this approach is that if people don't know of a security hole they may decide not to follow our upgrading advice and fall behind.This has not really been a problem up to this point as vulnerabilities have only been found very rarely (about one every two years).Now that ocPortal is under some increased scrutiny, we'll be changing our policy going forward.The new policy will be that we will give some general upfront advice if an ocPortal vulnerability has been found, via our newsletter and site news. Within this advice we will give a time when a security update will be released. This way, hackers don't have much chance to target a site before it is upgraded, because the site owner is able to schedule their site update in advance, so it happens very close to the security update being released (update released = update available for hacker study).We carried out this policy today, although only with a few hours notice. In the future, one or two weeks notice will be more usual. Credit We would like to thank the following groups/individuals for working with us in a professional way on these issues:YGN Ethical Hacker GroupHigh-Tech Bridge SA Security Research LabMicheal Cottingham (for a vulnerability previously fixed, back in 7.1) [Less]

7.1.6 released. Read the full article for a list of changes, and upgrade information.

An important security update for version 7.1 will be released at around 7PM GMT today. 3 security issues were found in recent weeks by two security companies. We'll be thanking these companies for advising us in advance of the disclosure of these ... [More] issues. This release will also fix a number of other bugs, as it has been a long time since we've needed to make a patch release update (the last release has proved very stable, and development has concentrated on the upcoming version 8.0). In particular, a fix will be released for Google Chrome compatibility, as a bug introduced in a relatively recent Chrome update caused major form layout issues in ocPortal. Version 8.0 of ocPortal will include all bug fixes and security updates, and beta 1 will also be released soon. However, we will advise users of 7.1 and earlier to patch security issues rather than waiting to upgrade. [Less]

7.1.5 released. Read the full article for a list of changes, and upgrade information.

7.1.4 released. Read the full article for a list of changes, and upgrade information.

7.1.3 released. Read the full article for a list of changes, and upgrade information.