david at endpoint
Mar 24, 2010, 10:31 PM
Today we are releasing three new versions of Interchange:
Interchange security releases: 5.7.6, 5.6.3, 5.4.5
* Interchange 5.7.6 is the latest development version representing all
recent improvements and new features to increase developer efficiency
and fix bugs.
* Interchange 5.6.3 is the latest stable version which includes the most
important changes backported to provide the most stability possible for
those upgrading from versions 5.6.0, 5.6.1 or 5.6.2.
* Interchange 5.4.5 is an update of the previous stable series of releases
provided only to fix a serious security problem.
All three releases close a potential HTTP response splitting
vulnerability. This type of vulnerability can have multiple impacts
including cross site scripting, cross-user defacement, web cache
poisoning, hijacking pages and browser cache poisoning. More
information about this type of attack vector can be found at
Catalogs based on the standard demo are not known to be vulnerable
out-of-the-box, but there is still the potential of the split response
vulnerability impacting custom pages or functionalities. In
particular, if you have enabled either the BounceReferrals or
BounceRobotSessionURL directives you may be vulnerable to this attack.
To protect against exploits, we strongly recommend all public Interchange
sites upgrade to the latest point release in the current series.
The software and more detailed change logs are available here:
SHA1 hashes of the release files:
Detached PGP signatures signed by my key (id CE699D4E) are alongside
each file for download and verification.
Further information and links to documentation and the user discussion
mailing list are at:
Interchange Development Group
interchange-announce mailing list
interchange-announce [at] icdevgroup