Here comes another maintenance release for Dotclear. in this one, you'll find:
- Some internal clean-up for development files that were preventing a clean upgrade under unusual circumstances.
- Localisation problems have been corrected for our new dashboard system.
- Cleaning and refining for some CSS & JS files.
- There were a problem with the user preferences in the import/export module. This has been corrected.
- You can now configure the email address used to send password reminders.
- A potential security flaw has been fixed + some others security tightening.
About the last two points:
Starting with this version, the email address for reminders is set up in the config file. On new installations, a default one will be defined. For security reasons, it will not be the case with upgrades. Please add the following line to your inc.config.php file:
define('DC_ADMIN_MAILFROM','dotclear@theaddressyouwant.com');
If you don't do so, Dotclear will work as usual. You'll just raise the password reminders mails' score in antispam system.
About the security fix and tightening: you don't have to worry about the tightening, we just enhanced the security for the software's future life. There is a true security flaw, though, that could have been used under certain rare circumstances to gain access to a administrator account. You are still encouraged to update, better safe than sorry.
Those security enhancements were indicated by Jérémie Boutoille, while he was participating in Pirate-Moi, a monthly hacking contest that chose Dotclear for its last edition.
Dotclear was not hacked during this contest. :)