Update 2.4.11 changelog

This commit is contained in:
Ingo Schommer 2013-08-07 20:27:00 +02:00
parent a6a7b01afc
commit 84a8b21936
2 changed files with 11 additions and 1 deletions

View File

@ -1,9 +1,10 @@
# 2.4.11 (Not yet released)
# 2.4.11 (2013-08-08)
## Overview
* Security: Require ADMIN for `?flush=1` (stop denial of service attacks)
([#1692](https://github.com/silverstripe/silverstripe-framework/issues/1692))
* Security: SQL injection in Versioned.php
## Details
@ -22,6 +23,14 @@ To prevent this, main.php now checks and only allows the flush parameter in the
This applies to both `flush=1` and `flush=all`but only through web requests made through main.php - CLI requests,
or any other request that goes through a custom start up script will still process all flush requests as normal.
Thanks to Christopher Tombleson for reporting.
### Security: SQL injection in Versioned.php
The `archiveDate` parameter wasn't correctly escaping user input through URL parameters ([download patch](https://github.com/silverstripe/silverstripe-framework/commit/a150989e6fb8b0ad41d9ad2af54948de33c721f0.patch))
Thanks to Dean Jerkovich of NCC Group for reporting.
## Changelog
### Bugfixes

View File

@ -9,6 +9,7 @@ For information on how to upgrade to newer versions consult the [upgrading](/ins
## Stable Releases
* [2.4.11](2.4.11) - 2013-08-08
* [2.4.10](2.4.10) - 2013-02-19
* [2.4.9](2.4.9) - 2012-12-04
* [2.4.8](2.4.8) - 2012-10-30