security-patch-2007-10-29.tgz

gravel · #71 11-13-2007, 07:16 AM

Today I see a notice at the top of the Communication Index in my account with Qualiteam:

Quote:

Dear X-Cart customers,

On Oct, 29 the latest security patch was released. Recently some insignificant issues related to patch application were revealed. We have revised this patch and corrected it. As an improvement the possibility to apply the patch via DIFF file was added. The patch was re-uploaded to the 'File area' section of the HelpDesk, it is named security-patch-2007-10-29(rev_2).tgz. Please accept our apologies for the inconveniences.

TechSupport Team.

Does anybody know if this contains the new files they have been working on, or is this from last week, IOW, the files that still caused problems?

carpeperdiem · #72 11-13-2007, 08:12 AM

rev 2 diff seems to be ok, but the rev 2 files are not correct yet. wait if you can... or else dig into the diff.

gravel · #73 11-13-2007, 08:24 AM

OK, thanks.

donmck · #74 11-13-2007, 10:08 AM

Quote:

Originally Posted by carpeperdiem

rev 2 diff seems to be ok, but the rev 2 files are not correct yet. wait if you can... or else dig into the diff.

Sorry, I am having problems understanding this. I thought I had it right.

We are sent an email to say we need to do the security patches.
This forum tells us that the diff files don't work, so I manually go about patching my own, as the new files aren't in sight, and I am concerned, as I am getting SQL errors of the type mentioned in other security threads in this forum.

Not many, maybe only one every two days now. I think one was named r57.txt, and google found it quickly, and gave an explanation.

Now there is a notice, not an email, that the new files are available.
BUT, it seems that the diff files are OK, but the replacement files aren't?
Does this mean, I haven't done the security patches on my cart?
I would really like to know if the current replacement files are correct or not.

Thanks in advance, Don...

ambal · #75 11-14-2007, 02:19 AM

security-patch-2007-10-29(rev_2).tgz file contains the revised patch for the same issue we are discussing here.

The revised patch DOES work (it was confirmed by our "Software QA dept"). When I say "work" I mean it fixes the issue if applied properly.

The security-patch-2007-10-29(rev_2).tgz file contains:
* revised .DIFF files placed in better structured directories. The .DIFF files should be used if you have any custom mods in your X-Cart
* revised PHP files for replacing idem PHP files in your X-Cart (CAUTION: You can go this way if you do not have ANY custom mods)
* improved instructions on how to apply the patch

Before you start applying the patch I advise you to read README file which comes in the security-patch-2007-10-29(rev_2).tgz file. If you experience troubles with applying the revised patch I recommend you to contact our techs using your HelpDesk account.

gravel · #76 11-14-2007, 09:35 AM

Quote:

Originally Posted by ambal

security-patch-2007-10-29(rev_2)

* improved instructions on how to apply the patch

I really appreciate the full, clear instructions. I send thanks to whoever it was at Qualiteam who took the time to write those out.

starwest · #77 11-14-2007, 09:38 AM

To clarify:

If we've previously installed the patch manually from the first set of DIFF files (version 1) released do we need to reinstall the patch manually with this new set of DIFF files (version 2)?

donmck · #78 11-14-2007, 09:44 AM

Quote:

Originally Posted by starwest

To clarify:

If we've previously installed the patch manually from the first set of DIFF files (version 1) released do we need to reinstall the patch manually with this new set of DIFF files (version 2)?

It looks like it. I have just checked my version 4.0.17 func.php files for REV_1 and REV_2, and they are very different, so I guess I get everything back to where it was before all of this started, and try again.

Don...

geckoday · #79 11-14-2007, 11:33 AM

Quote:

Originally Posted by donmck

It looks like it. I have just checked my version 4.0.17 func.php files for REV_1 and REV_2, and they are very different, so I guess I get everything back to where it was before all of this started, and try again.

Don...

Same with 4.0.19. Some small changes were made to the func.php diff file but they are significant security-wise and to prevent throwing errors mostly in some admin areas. I was able to compare the two diff files and apply the changes from rev 2 to my rev 1 updated func.php. But you can't run the rev_2 diffs against rev_1 updated files- you must go back to unpatched files.

donmck · #80 11-14-2007, 11:47 AM

Quote:

Originally Posted by geckoday

Same with 4.0.19. Some small changes were made to the func.php diff file but they are significant security-wise and to prevent throwing errors mostly in some admin areas. I was able to compare the two diff files and apply the changes from rev 2 to my rev 1 updated func.php. But you can't run the rev_2 diffs against rev_1 updated files- you must go back to unpatched files.

Thanks Ralph,

I guess I better go back and check all the files then. There may be other significant changes in these as well as the func.php file.

Don...