From: David Christensen To: interchange-announce@icdevgroup.org, interchange-users@icdevgroup.org Subject: Interchange security releases: 5.7.6, 5.6.3, 5.4.5 Today we are releasing three new versions of Interchange: * Interchange 5.7.6 is the latest development version representing all recent improvements and new features to increase developer efficiency and fix bugs. * Interchange 5.6.3 is the latest stable version which includes the most important changes backported to provide the most stability possible for those upgrading from versions 5.6.0, 5.6.1 or 5.6.2. * Interchange 5.4.5 is an update of the previous stable series of releases provided only to fix a serious security problem. All three releases close a potential HTTP response splitting vulnerability. This type of vulnerability can have multiple impacts including cross site scripting, cross-user defacement, web cache poisoning, hijacking pages and browser cache poisoning. More information about this type of attack vector can be found at http://www.securiteam.com/securityreviews/5WP0E2KFGK.html. Catalogs based on the standard demo are not known to be vulnerable out-of-the-box, but there is still the potential of the split response vulnerability impacting custom pages or functionalities. In particular, if you have enabled either the BounceReferrals or BounceRobotSessionURL directives you may be vulnerable to this attack. To protect against exploits, we strongly recommend all public Interchange sites upgrade to the latest point release in the current series. The software and more detailed change logs are available here: http://ftp.icdevgroup.org/interchange/ SHA1 hashes of the release files: da021e9dd71128a6faa88ed162c3b14c976260a1 interchange-5.7.6.tar.bz2 a9c39ac51e5f317771c350ac409788602f18582b interchange-5.7.6.tar.gz 8c184dab3a4156ff04f9166f793de430dbf0c77e interchange-5.7.6.tar.xz 143a3164d58fc07e0fa0eafced522d7ac8c6fb94 interchange-5.6.3.tar.bz2 78635a51f9c66eaff875c789c99584ee6f0eacd6 interchange-5.6.3.tar.gz 88ee839353b313c7575701fbfea5f3a899788706 interchange-5.6.3.tar.xz a97ee14ef49d596324a5688a8e0b9564365b9a7f interchange-5.4.5.tar.bz2 a75aafbeba94cdf0c790b001576b80be99659a43 interchange-5.4.5.tar.gz 0039b2b19630c049ecdbf6f678be1f24dbca0a6f interchange-5.4.5.tar.xz Detached PGP signatures signed by my key (id CE699D4E) are alongside each file for download and verification. Further information and links to documentation and the user discussion mailing list are at: http://www.icdevgroup.org/ David Christensen Interchange Development Group