시스템 보안 업데이트 3.1.2 -> 3.1.3 업데이트 일괄 적용 완료.

작성 : 2017-02-06 11:36:48
작성자 DWEBS
타입

솔루션 시스템 코어의 보안 업데이트가 이루어졌습니다.

 

기존

3.1.2

 

업데이트

3.1.3

 

금번 업데이트 이후 사이트내의 문제가 발생한다면 문의 남겨주시면 신속히 해결하여 드리겠습니다.

 

 

 시스템의 일괄 업데이트 적용은 저희 디웹스가 개발한 자체솔루션의 특 장점중 하나입니다.

 

디웹스는 모든 클라이언트분들이 사업에만 전념 하실 수 있도록 항상 노력하고 있습니다.

디웹스를 선택해 주셔서 감사합니다.

- 디웹스 -

 

 

Change Log

Version 3.1.3

Release Date: Jan 09, 2017

  • Security
    • Fixed an XSS vulnerability in Security Library method xss_clean().
    • Fixed a possible file inclusion vulnerability in Loader Library method vars().
    • Fixed a possible remote code execution vulnerability in the Email Library when ‘mail’ or ‘sendmail’ are used (thanks to Paul Buonopane from NamePros).
    • Added protection against timing side-channel attacks in Security Library method csrf_verify().
    • Added protection against BREACH attacks targeting the CSRF token field generated by Form Helper function form_open().
  • General Changes
    • Deprecated $config['allow_get_array'].
    • Deprecated $config['standardize_newlines'].
    • Deprecated Date Helper function nice_date().

Bug fixes for 3.1.3

  • Fixed a bug (#4886) - Database Library didn’t differentiate bind markers inside double-quoted strings in queries.
  • Fixed a bug (#4890) - XML-RPC Library didn’t work on PHP 7.
  • Fixed a regression (#4887) - File Uploading Library triggered fatal errors due to numerous PHP distribution channels (XAMPP and cPanel confirmed) explicitly disabling ext/fileinfo by default.
  • Fixed a bug (#4679) - Input Library method ip_address() didn’t properly resolve $config['proxy_ips'] IPv6 addresses.
  • Fixed a bug (#4902) - Image Manipulation Library processing via ImageMagick didn’t work.
  • Fixed a bug (#4905) - Loader Library didn’t take into account possible user-provided directory paths when loading helpers.
  • Fixed a bug (#4916) - Session Library with sess_match_ip enabled was unusable for IPv6 clients when using the ‘database’ driver on MySQL 5.7.5+.
  • Fixed a bug (#4917) - Date Helper function nice_date() didn’t handle YYYYMMDD inputs properly.
  • Fixed a bug (#4923) - Session Library could execute an erroneous SQL query with the ‘database’ driver, if the lock attempt times out.
  • Fixed a bug (#4927) - Output Library method get_header() returned the first matching header, regardless of whether it would be replaced by a second set_header() call.
  • Fixed a bug (#4844) - Email Library didn’t apply escapeshellarg() to the while passing the Sendmail -f parameter through popen().
  • Fixed a bug (#4928) - the bootstrap file didn’t check if config/constants.php exists before trying to load it.
  • Fixed a bug (#4937) - Image Manipulation Library method initialize() didn’t translate new_image inputs to absolute paths.
  • Fixed a bug (#4941) - Query Builder method order_by() didn’t work with ‘RANDOM’ under the ‘pdo/sqlite’ driver.
  • Fixed a regression (#4892) - Query Builder method update_batch() didn’t properly handle identifier escaping.
  • Fixed a bug (#4953) - Database Forge method create_table() didn’t update an internal tables list cache if it exists but is empty.
  • Fixed a bug (#4958) - Query Builder method count_all_results() didn’t take into account cached ORDER BY clauses.
  • Fixed a bug (#4804) - Query Builder method insert_batch() could fail if the input array pointer was modified.
  • Fixed a bug (#4962) - Database Force method alter_table() would fail with the ‘oci8’ driver.
  • Fixed a bug (#4457) - Image Manipulation Library method get_image_properties() didn’t detect invalid images.
  • Fixed a bug (#4765) - Email Library didn’t send the User-Agent header without a prior call to clear().