[Interchange-announce] Interchange security releases: 5.7.6, 5.6.3, 5.4.5

David Christensen david at endpoint.com
Thu Mar 25 05:31:58 UTC 2010 

Today we are releasing three new versions of Interchange:

* Interchange 5.7.6 is the latest development version representing all
recent improvements and new features to increase developer efficiency
and fix bugs.

* Interchange 5.6.3 is the latest stable version which includes the most 
important changes backported to provide the most stability possible for 
those upgrading from versions 5.6.0, 5.6.1 or 5.6.2.

* Interchange 5.4.5 is an update of the previous stable series of releases 
provided only to fix a serious security problem.

All three releases close a potential HTTP response splitting
vulnerability.  This type of vulnerability can have multiple impacts
including cross site scripting, cross-user defacement, web cache
poisoning, hijacking pages and browser cache poisoning.  More
information about this type of attack vector can be found at
http://www.securiteam.com/securityreviews/5WP0E2KFGK.html.

Catalogs based on the standard demo are not known to be vulnerable
out-of-the-box, but there is still the potential of the split response
vulnerability impacting custom pages or functionalities.  In
particular, if you have enabled either the BounceReferrals or
BounceRobotSessionURL directives you may be vulnerable to this attack.

To protect against exploits, we strongly recommend all public Interchange 
sites upgrade to the latest point release in the current series.

The software and more detailed change logs are available here:

http://ftp.icdevgroup.org/interchange/

SHA1 hashes of the release files:

da021e9dd71128a6faa88ed162c3b14c976260a1  interchange-5.7.6.tar.bz2
a9c39ac51e5f317771c350ac409788602f18582b  interchange-5.7.6.tar.gz
8c184dab3a4156ff04f9166f793de430dbf0c77e  interchange-5.7.6.tar.xz

143a3164d58fc07e0fa0eafced522d7ac8c6fb94  interchange-5.6.3.tar.bz2
78635a51f9c66eaff875c789c99584ee6f0eacd6  interchange-5.6.3.tar.gz
88ee839353b313c7575701fbfea5f3a899788706  interchange-5.6.3.tar.xz

a97ee14ef49d596324a5688a8e0b9564365b9a7f  interchange-5.4.5.tar.bz2
a75aafbeba94cdf0c790b001576b80be99659a43  interchange-5.4.5.tar.gz
0039b2b19630c049ecdbf6f678be1f24dbca0a6f  interchange-5.4.5.tar.xz

Detached PGP signatures signed by my key (id CE699D4E) are alongside
each file for download and verification.

Further information and links to documentation and the user discussion
mailing list are at:

http://www.icdevgroup.org/

David Christensen
Interchange Development Group

More information about the interchange-announce mailing list