Saturday 28 October 2006 by
Someone finally found an exploit in Textpattern – in a gamma release from 2 ½ years ago.
All 4.0.x release versions are secure against this exploit. The problem was discovered and fixed by Sencer shortly after the g1.19 release.
The author of the exploit made no attempt to contact us, so I won’t credit him with finding the vulnerability or provide a link.
Anyone running Textpattern g1.19 or earlier should upgrade immediately.
Though they are not vulnerable to this attack, we strongly recommend anyone running old versions of Textpattern should also upgrade as soon as possible.
I think this deserves some…
/clap
28 Oct 06
Brandon Erik Bertelsen
It seems to be a problem with tar.gz version, it was gzipped twice:
$ file textpattern-4.0.4.tar.gz
textpattern-4.0.4.tar.gz: gzip compressed data, from Unix
$ gunzip textpattern-4.0.4.tar.gz
$ file textpattern-4.0.4.tar
textpattern-4.0.4.tar: gzip compressed data, from Unix
$ gzcat -S .tar textpattern-4.0.4.tar
$ file textpattern-4.0.4
textpattern-4.0.4: POSIX tar archive
28 Oct 06
Ilya Voronin
The textpattern-4.0.4.tar.gz file on the download page appears to be just fine. Please try downloading it again, and ask on the forum if you need more help.
28 Oct 06
Alex
FWIW – I’ve had problems with the tarball (on several machines) as well. I’ve resorted to the zip.
30 Oct 06
blanco
Upgrading from a g1.19 version, are there special instructions or should we follow those on the download page?
31 Oct 06
Eddie