Here comes another maintenance release for Dotclear. in this one, you'll find:

  • Some internal clean-up for development files that were preventing a clean upgrade under unusual circumstances.
  • Localisation problems have been corrected for our new dashboard system.
  • Cleaning and refining for some CSS & JS files.
  • There were a problem with the user preferences in the import/export module. This has been corrected.
  • You can now configure the email address used to send password reminders.
  • A potential security flaw has been fixed + some others security tightening.

About the last two points:

Starting with this version, the email address for reminders is set up in the config file. On new installations, a default one will be defined. For security reasons, it will not be the case with upgrades. Please add the following line to your inc.config.php file:

define('DC_ADMIN_MAILFROM','dotclear@theaddressyouwant.com');

If you don't do so, Dotclear will work as usual. You'll just raise the password reminders mails' score in antispam system.

About the security fix and tightening: you don't have to worry about the tightening, we just enhanced the security for the software's future life. There is a true security flaw, though, that could have been used under certain rare circumstances to gain access to a administrator account. You are still encouraged to update, better safe than sorry.

Those security enhancements were indicated by Jérémie Boutoille, while he was participating in Pirate-Moi, a monthly hacking contest that chose Dotclear for its last edition.

Dotclear was not hacked during this contest. :)