Dear ILIAS admins,
the Jour Fixe of the ILIAS Society discussed the question how to proceed
with the supported PHP versions on the last meeting [1].
To finally take the decision on the next meeting on 22.05 we need your
feedback on the issue:
Is there anyone who is in severe trouble if we would drop the support
for PHP 5 completely with the subsequent release of ILIAS (i.e. ILIAS
5.4)? Do you see any problems if ILIAS 5.4, that will be released
somewhere around end of 2018, only supports PHP > 7?
Please use the wiki page [1] to voice your opinion.
If we do not get any feedback we will decide to drop support for PHP 5
completely with the subsequent ILIAS release.
[1] http://www.ilias.de/docu/goto_docu_wiki_wpage_4770_1357.html
[2] http://php.net/releases/7_1_0.php
Best regards!
--
Richard Klees
on behalf of the Technical Board of the ILIAS Society
and also
Lead Developer Qualifizierungsmanagement
---------------------------------------------
CaT Concepts and Training GmbH
Vorgebirgstraße 338
50969 Köln
Fon: +49 (0)221 / 46 75 76 - 56
Fax: +49 (0)221 / 46 75 76 - 09
Mail: richard.klees(a)concepts-and-training.de
Web: http://www.concepts-and-training.de
---------------------------------------------
Geschäftsführung:
Sven Kapust, Gerald Konrad, Alexandra Oehlke,
Sandra Röbbelen, Volker Röbbelen, Denis Witt
Amtsgericht Köln HRB 57804
Ust-ID-Nr.: DE 814694228
Sitz: Köln
---------------------------------------------
Dear list members,
again a media object related security issue has been identified and
fixed for ILIAS versions >= 5.0. A big "Thank you" goes to researcher
Julian Rittweger for reporting this issue.
It was possible to upload SVG files as media objects (e.g. in wiki
pages) which could be used to inject and execute JavaScript (persistent
XSS).
With the latest fix of the responsible code maintainer, SVG files will
be sanitized when uploaded to ILIAS.
We advise strongly to update your ILIAS installation to the latest
version.
Best regards,
Michael Jansen
on behalf of the ILIAS e.V. and the Technical Board
Dear list members,
several security issues have been identified (thanks to Nicolas Schäfli
[studer + raimann ag] and Johannes [KIT]) and fixed for ILIAS version
5.0, 5.1 and 5.2.
The first weakness was located in the code validation part of the self
registration.
The second type of vulnerability affected the XML import of course and
file objects. It was possible to copy arbitrary files into the media
object directory (course import), and to copy a source file to an
arbitrary location on the file system (file import).
We advise strongly to update your ILIAS installation to the latest
version. For more detailed explanations don't hesitate to contact us.
Best regards,
Michael Jansen
on behalf of the ILIAS e.V. and the Technical Board