Interchange security releases: 5.7.6, 5.6.3, 5.4.5
Posted on 24-Mar-2010 by David Christensen
Today we are releasing three new versions of Interchange:
- Interchange 5.7.6 is the latest development version representing all recent improvements and new features to increase developer efficiency and fix bugs.
- Interchange 5.6.3 is the latest stable version which includes the most important changes backported to provide the most stability possible for those upgrading from versions 5.6.0, 5.6.1 or 5.6.2.
- Interchange 5.4.5 is an update of the previous stable series of releases provided only to fix a serious security problem.
All three releases close a potential HTTP response splitting vulnerability. This type of vulnerability can have multiple impacts including cross site scripting, cross-user defacement, web cache poisoning, hijacking pages and browser cache poisoning. More information about this type of attack vector can be found at http://www.securiteam.com/securityreviews/5WP0E2KFGK.html.
Catalogs based on the standard demo are not known to be vulnerable out-of-the-box, but there is still the potential of the split response vulnerability impacting custom pages or functionalities. In particular, if you have enabled either the BounceReferrals or BounceRobotSessionURL directives you may be vulnerable to this attack.
To protect against exploits, we strongly recommend all public Interchange sites upgrade to the latest point release in the current series.
- 2014-02-26: Interchange 6 Hackathon
- 2013-10-30: Ecommerce Innovation conference report
- 2013-07-19: Interchange 5.8.0 stable release
- 2013-03-18: eCommerce Innovations 2013 Conference
- 2013-02-13: Extensive Hall of Fame updates
- 2012-12-28: Josh Lavin joins Interchange core team
- 2011-06-12: Interchange 5.7.7 development release
- 2011-04-14: IRC Meeting Report
- 2011-03-28: Interchange IRC Meeting: April 14, 2011
- 2010-03-24: Interchange security releases: 5.7.6, 5.6.3, 5.4.5
- 2010-02-23: Interchange 5.7.5 development release
- 2009-12-09: Interchange 5.7.4 development release
- 2009-11-05: Interchange 5.7.3 development release
- 2009-09-17: Interchange security releases: 5.7.2, 5.6.2, 5.4.4
- 2009-08-23: Next Interchange community meeting
- 2009-08-13: David Christensen joins core team
- 2009-08-12: Payflow Pro legacy API retirement on September 1
- 2009-05-25: Interchange source code migrated to Git
- 2009-05-19: LinuxTag 2009
- 2009-05-13: Experimental UTF-8 branch
- 2008-12-05: JT Justman joins the Interchange core team
- 2008-11-13: Interchange 5.4.3, 5.6.1, 5.7.1 released
- 2008-06-01: Back from LinuxTag
- 2008-05-21: Interchange 5.6.0 released
- 2008-05-17: Interchange 5.5.3 development released
- 2008-05-08: Interchange at LinuxTag 2008!
- 2008-04-29: Interchange 5.5.2 development release available
- 2007-08-21: Interchange 5.5.1 development release available
- 2007-08-08: Bug Squashing Party
- 2007-06-18: New Debian Packages (5.4.2-3)
- 2007-06-13: Debian Packages for Etch
- 2007-04-05: Interchange goes to Linuxtag!
- 2007-02-27: Ron Phipps joins the Interchange core team
- 2007-02-07: Interchange 5.4.2 released
- 2006-08-28: New Developers pajamian and thunder
- 2006-05-26: Interchange 5.4.1 released
- 2006-03-28: Improved search system on www.icdevgroup.org
- 2006-03-27: [/page] and [/order] macros
- 2006-03-25: XMLDOCS documentation
- 2006-01-31: Development tree notice
- 2005-12-31: Interchange 5.4 release
- 2005-12-12: Interchange 5.3.3 developer release
- 2005-12-12: New ICDEVGROUP website
- 2005-11-23: Interchange 5.3.2 beta release available
- 2005-10-18: Interchange 5.4 (stable) release schedule