Security bulletin 2008-12-18

Ene · #51 12-30-2008, 11:49 PM

Quote:

Most distributions by other companies would have an extension on the end of the version number to denote additional changes

Even putting a unix timestamp may be helpful, or just a date:
4.2.0-1230661200 = 12/30/2008 18:20
OR
4.2.0-12302008 or just 4.2.0-1230

Definitely if changes are being made to an archive, that can create serious issues (even from bug tracking point of view.

HelpDesk file area.

Chris B · #52 12-31-2008, 03:17 PM

Hi Ene,

The dates within the support helpdesk file download area have dates not related to the release dates. I noticed that last week when I was checking to make sure all patches were applied to each version we use.

Many say January 10, 08 even though they are patches from 2006.

ScreenShot Attached

Chris

bigredseo · #53 01-01-2009, 07:58 AM

Hello Eugene,

I was referring to the actual RELEASE scripts, not the patches.

If the script available for download on 12/29 is different from that which was available on 10/9, there should be indication to the user that patches have been applied (or bug fixes), and that the original 10/9 script they downloaded is now incomplete compared to the release available on 12/29.

gb2world · #54 01-02-2009, 11:36 AM

Hi Eugene -

Maybe this will help to make the issue clearer:

Are the security patches provided for 4.1.11 applicable to any version of the 4.1.11 distribution?

For example - I have a 4.1.11 instance which was created from an upgrade patch for 4.1.10->4.1.11 downloaded in early September. I did a diff of the file versions of my cart to a current 4.1.11 cart - There are over 100 files which have been updated since I upgraded. Can the patch be applied with confidence, or are any of the other changes also required?

I have other 4.1.11 instances which have different file versions, depending upon when I downloaded them.

I also have a 4.1.9 instance of XCART - but I don't think I have a way to compare it to what is your latest 4.1.9 release. Is it possible to publish a versions file for previous 4.1.x distributions?

Ene · #55 01-05-2009, 01:59 AM

Quote:

The dates within the support helpdesk file download area have dates not related to the release dates. I noticed that last week when I was checking to make sure all patches were applied to each version we use.

Sometimes the security patches can be re-uploaded later. For example due to reorganisation of the File Area folders.

Quote:

Are the security patches provided for 4.1.11 applicable to any version of the 4.1.11 distribution?

Yes.
We do not change the distribution packs once we upload them. So X-Cart 4.1.11 you downloaded one month earlier and 4.1.11 you've downloaded today are the same.

Quote:

Can the patch be applied with confidence, or are any of the other changes also required?

If you upgrdaded your store correctly, you can apply the patch without any worries.

Quote:

I also have a 4.1.9 instance of XCART - but I don't think I have a way to compare it to what is your latest 4.1.9 release. Is it possible to publish a versions file for previous 4.1.x distributions?

As I said before you should just download the security patch for 4.1.9 version and apply it.

beetlejuice · #56 01-07-2009, 10:28 PM

from post #47

Well I'm no closer to finding the real solution. I submitted one of the prepare.php 4.1.9 files to QT and they replied that it hadn't had any patches applied so I would need to install each one after downloading from the file area. Did that and it worked fine, however trying to patch the prepare.php on another 4.1.9 store was impossible as it was missing too many lines of code, and from what I could gather looked more like a 4.1.10 prepare.php than a 4.1.9. So I downloaded the 4.1.10 security patches and they seemed to be Ok for the prepare.php changes. And before you jump, it is definitely a 4.1.9 store (well according to the patch/upgrade area in admin). The store works fine so I'm going to load a backup of XCart downloads I made some time ago and check to see if there are any variations between those downloads and the ones currently available from XCart's download area.

At least the stores are patched finally.

JWait · #57 01-08-2009, 03:54 AM

"it is definitely a 4.1.9 store (well according to the patch/upgrade area in admin)"

You can't really trust that. I think all it does is compare what it says in the VERSION file with what it says in the xcart_config table for the "version". If they are wrong, but both say the same thing you would never know it.