=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2010/VULN003
_____________________________________________________________________

DATE                      : 04/01/2010

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running XOOPS versions prior to 2.4.3.

======================================================================
http://www.xoops.org/modules/news/article.php?storyid=5178
______________________________________________________________________

This release is a bugfix-release of XOOPS 2.4.2, done by XOOPS Core
Development Team and XOOPS community:

Updates upon community:
- Added: Ability to assign display elements to a specific group of users (ghia)
- Added: Smarty variable for xoops_avatar (kris_fr/trabis)
- Added: Cache supported functions: xoops_getActiveModules(),
xoops_setActiveModules(), xoops_isActiveModule() (trabis)
- Added: XoopsMailer - Adding method to set 'allow html' parameter (Wishcraft)
- Improved: Preloads are only loaded for modules installed and active,
this will reduce queries and improve performance (trabis)
- Fixed : XoopsLoad class (xoops calendar not found and other issues) (trabis)
- Fixed : Database images not loading when using php 5.3 (trabis)
- Fixed : Cross-Site Scripting vulnerability in PM module (trabis/secunia.com)
- Fixed : SQL Injection vulnerability in kernel/notification.php (trabis/secunia.com)

Updates from Sourceforge trackers:
- Fixed bug #2917631 : Double frame around BBcode quotes in zetagenesis (kris_fr/ghia)
- Fixed bug #2923867 : Website Row is displayed even value is empty (trabis/maxxy)
- Fixed bug #2909312 : Layout of XoopsForms is changed (trabis/ghia)
- Fixed bug #2904777 : preload including not installed module's preloads (trabis/bandit-x)
- Fixed bug #2908887 : User can not select system avatars (trabis/ghia)
- Fixed bug #2911944 : Users can see other users profile in edit profile (trabis/ghia)
- Fixed bug #2910495 : BBcode code tag handles code worse than quote tag (trabis/ghia)
- Fixed bug #2914175 : code tags translate to double tags and alter first line (trabis/ghia)
- Fixed bug #2915970 : Banner white page on IE (trabis/ghia)

Added Language defines:
- language/english/banners.php _BANNERS_NO_LOGIN_DATA
- language/english/banners.php _BANNERS_NO_REFERER
- language/english/banners.php _BANNERS_NO_ID

Some of the highlights of the XOOPS 2.4.x series:

* a new Admin GUI: Oxygen (Voltan): see picture above
* new mechanism to modularize and extend Core via Preloads (trabis)
* central support for jQuery (trabis)
* improved Installer (DuGris)
* WCAG 2.0 - Sight Impaired Assisted Forms (wishcraft)
* Themeable Admininstration area (trabis)
* support for new WYSIWYG Editors: CKEditor, wymeditor, Xinha, and Spaw2 (wishcraft and Luciorota)
* new System Key (wishcraft)
* Support to PHP 5.3 (trabis)
* profile and pm modules improved by Trabis
* code refactoring and improvements (trabis, catzwolf)
* Security fixes (trabis, wishcraft)

and many more.

Please remember: If you're installing it over previous installation,
make a BACKUP first!
Please also note that some hacks done for previous XOOPS versions might
not work with this release: testing before installing is always a good choice

Download it from Sourceforge repository.

======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================