Textpattern g1.19 security hole
Someone finally found an exploit in Textpattern – in a gamma release from 2 ½ years ago.
All 4.0.x release versions are secure against this exploit. The problem was discovered and fixed by Sencer shortly after the g1.19 release.
The author of the exploit made no attempt to contact us, so I won’t credit him with finding the vulnerability or provide a link.
Anyone running Textpattern g1.19 or earlier should upgrade immediately.
Though they are not vulnerable to this attack, we strongly recommend anyone running old versions of Textpattern should also upgrade as soon as possible.
I think this deserves some…
/clap
— Brandon Erik Bertelsen · Oct 28, 08:46 AM · #
It seems to be a problem with tar.gz version, it was gzipped twice:
$ file textpattern-4.0.4.tar.gz
textpattern-4.0.4.tar.gz: gzip compressed data, from Unix
$ gunzip textpattern-4.0.4.tar.gz
$ file textpattern-4.0.4.tar
textpattern-4.0.4.tar: gzip compressed data, from Unix
$ gzcat -S .tar textpattern-4.0.4.tar
$ file textpattern-4.0.4
textpattern-4.0.4: POSIX tar archive
— Ilya Voronin · Oct 28, 05:35 PM · #
The textpattern-4.0.4.tar.gz file on the download page appears to be just fine. Please try downloading it again, and ask on the forum if you need more help.
— Alex · Oct 29, 12:20 AM · #
FWIW – I’ve had problems with the tarball (on several machines) as well. I’ve resorted to the zip.
— blanco · Oct 30, 09:02 PM · #
Upgrading from a g1.19 version, are there special instructions or should we follow those on the download page?
— Eddie · Oct 31, 08:31 PM · #