Known Issues of TWiki 4.1.x Production Releases
These are known issues of
TWiki-4.1.0,
TWiki-4.1.1, and
TWiki-4.1.2, code named
EdinburghRelease.
The latest TWiki release is available at
DownloadTWiki.
Security Alerts
- Security Alert L1: Remote Perl code execution with query string to debug TWiki plugins
- Security Alert L1: Apache configuration file upload on TWiki on Windows server
- Security Alert L1: MAKETEXT variable allows arbitrary shell command execution
- Security Alert L3: XSS Vulnerability with topic create and slideshows
- Security Alert L3: XSS Vulnerability with origurl parameter of login script
- Security Alert L3: XSS Vulnerability with rev parameter & login script
- Security Audit L3: Crypt token based fix for cross-site request forgery vulnerability
- Security Alert L2: Cross-site request forgery vulnerability with image tag
- Security Alert L1: TWiki SEARCH variable allows arbitrary shell command execution
- Security Alert L3: Cross-site scripting vulnerability with TWiki URLPARAM variable
- Security Alert L1: Arbitrary Code Execution in Configure Script
- Security Audit L3: Incorrect documentation of permission settings with empty values
- Security Alert L2: Arbitrary code execution in session files (CVE-2007-0669)
Major issues
Fixed in |
Description |
TWiki-4.2.0 |
The pub/_work_area directory is not protected by the documented httpd config file for TWiki. The default TWiki does not keep anything in this directory but some plugins may keep private information in this area. If your site is configured by .htaccess files you are OK. If you use an apache config file add this to your twiki apache config file (assuming /var/www/twiki as your twiki rootdirectory) <Directory "/var/www/twiki/pub/_work_areas"> deny from all <Directory> The ApacheConfigGenerator has been updated so it creates a protected work area for the plugins. |
Minor issues
Major issues
Minor issues
Major issues
Fixed in |
Description |
TWiki-4.1.1 |
Item3546 - Session files should not be mixed with normal tmp files from other applications |
TWiki-4.1.1 |
Item3544 - Deleting an attachment can cause TWiki to hang almost forever |
TWiki-4.1.1 |
Item3533 - Redirect to viewauth broken when using script suffix and apache login |
TWiki-4.1.1 |
Item3489 - Formatted search breaks with formfield variables and when using nested search. Fix can be downloaded from the bug report. Fix was updated 27 Jan 2007 |
TWiki-4.1.1 |
Item3483 - ALLOWWEBVIEW and ALLOWTOPICVIEW forwards you to a garbage page after authentication when using ApacheLogin. Fix can be downloaded from the bug report. |
Pending |
Item3564 - TWiki 4.1 only works on Perl 5.8, should run on Perl 5.0.3 |
Minor issues
Fixed in |
Description |
N/A |
Item3510 - CommentPlugin templates newline issue. With TWiki 4.1.X %TMPL:DEF.. no longer removes leading white space. This influences templates including those used by CommentPlugin. It is simple to fix. If your existing COMMENT based application adds unwanted newlines, simple delete the new line after the %TMPL:DEF..% tag so that your template starts on the same line as %TMPL:DEF..% |
TWiki-4.1.1 |
Item3500 - Several attachments missing in TWikiDocGraphics |
TWiki-4.1.1 |
Item3488 - Autoattaching a single file does not work. Fix can be downloaded from the bug report. |
TWiki-4.1.1 |
Item3478 - Configure requires that tools and lib directories are placed in the same parent directory in order to be able to find the tools/DEPENDENCIES files. |
TWiki-4.1.1 |
Item3476 - The configure script dies with error "Perl v5.8.0 required--this is only v5.6.1. But TWiki can run with perl 5.6.X. See Item3476 for fix. |
TWiki-4.1.1 |
Item3471 - When trying to create a new topic using Jump field or URL, the top creation feature broken when a web does not have the WebTopicCreator topic. Work-around for upgraders: Simply copy the WebTopicCreator.txt file from the TWiki web into each of your old Web directories. Then it all works fine. |
Bug reports
Please visit the bugs web to review and report bugs.
--
Contributors: PeterThoeny,
KennethLavrsen - 05 Feb 2007
Discussion
What was the point of the 4.1.2 release? No major nor minor issues fixed. What benefit do I have in upgrading, besides having one file less (lib/LocalSite.cfg.txt) ....
--
AndersHolm - 13 Mar 2007
Not sure what is that topic about now?!? I ended up there as I was looking for the show stopper concerning 4.2 but that topic tittle suggests it applies to 4.1 however in the paragraph concerning 4.1.2 it mention a bug concerning 4.2 !?! I guess it's just work in progress. BTW
AndersHolm as far as I'm concerned 4.1.2 provided genuine benefits from 4.1.1. See
TWikiHistory.
--
StephaneLenclud - 21 Jan 2008
Found a bug? Fill in a report in the bugs web.
Need support? Ask your questions in the Support web, but only after reviewing the support guidelines