

jlp





Senior Member

Threads: 151

Joined: Sep 2014

Reputation: Posts: 251Threads: 151Joined: Sep 2014Reputation: 97 #1



HTTP "Host" header character validation was added, to prevent cache poisoning attacks when base_url auto-detection is used.





Since most have moved on to the development version of 3.0 from the GitHub repo, these fixes only affect sites powered by the legacy version. Sites running the development version of 3.x are unaffected as they have already been addressed in that version line. We felt that sites who were still running 2.x and potentially impacted by the vulnerability warranted an update so the release available for that version line is secure.



You can download CodeIgniter 2.2.2 has been released today, and is a security release for the 2.x branch.HTTP "Host" header character validation was added, to prevent cache poisoning attacks when base_url auto-detection is used.Since most have moved on to the development version of 3.0 from the GitHub repo, these fixes only affect sites powered by the legacy version. Sites running the development version of 3.x are unaffected as they have already been addressed in that version line. We felt that sites who were still running 2.x and potentially impacted by the vulnerability warranted an update so the release available for that version line is secure.You can download v2.2.2 now, and we encourage you to read the full changelog James Parry

Project Lead Find Reply

Crenel





Newbie

Threads: 1

Joined: Apr 2015

Reputation: Posts: 9Threads: 1Joined: Apr 2015Reputation: 3 #2 (04-15-2015, 09:10 AM) jlp Wrote: Since most have moved on to the development version of 3.0 from the GitHub repo, these fixes only affect sites powered by the legacy version.

I definitely appreciate security patches for the 2.x series. My existing CI sites are all on 2.x and I don't know when I will have time to upgrade them.



AFAIK, CI doesn't have a usage reporting feature, which prevents knowing just how many live 2.x sites are out there. Is "most have moved on" basically a guess based on current input from those in active development? I didn't even know there was a 3.x until fairly recently, and I would guess there are others who still don't know. Not everyone is actively developing their sites, even if the sites are in production. If you're not actively developing and just letting the site run, it's (too) easy to be disconnected from what else is happening in the world of CodeIgniter. I definitely appreciate security patches for the 2.x series. My existing CI sites are all on 2.x and I don't know when I will have time to upgrade them.AFAIK, CI doesn't have a usage reporting feature, which prevents knowing just how many live 2.x sites are out there. Is "most have moved on" basically a guess based on current input from those in active development? I didn't even know there was a 3.x until fairly recently, and I would guess there are others who still don't know. Not everyone is actively developing their sites, even if the sites are in production. If you're not actively developing and just letting the site run, it's (too) easy to be disconnected from what else is happening in the world of CodeIgniter. Website Find Reply

mwhitney





Posting Freak

Threads: 4

Joined: Nov 2014

Reputation: Posts: 1,101Threads: 4Joined: Nov 2014Reputation: 95 #3 I've setup Bonfire to switch between 2.x and 3.x fairly easily, but there are still some bugs to workout in Bonfire's interaction with 3.x. Since my own site is running Bonfire (with CI 2.2.2 now), I'm definitely trying my best to track down every little issue I can and get it working with CI 3 before it reaches EOL in October. Bonfire Practical CodeIgniter 3

CodeIgniter Testing Guide Find Reply

alkarim





Member

Threads: 0

Joined: Apr 2015

Reputation: Posts: 72Threads: 0Joined: Apr 2015Reputation: 0 #4 Great to hear that CI has released new version in the CI 2.X series. Hope it gets much secure than the older version's. Good going CI team :-) viraltalks Find Reply

ronelb





Junior Member

Threads: 0

Joined: Jan 2015

Reputation: Posts: 25Threads: 0Joined: Jan 2015Reputation: 1 #5 Downloading ...

Thanks for the security updates CI Dev Team! This is good news for those of us that still have legacy projects to maintain. Keep up the great work. Share what you know,

Learn what you don't Find Reply

bhblacky





Newbie

Threads: 0

Joined: Feb 2015

Reputation: Posts: 4Threads: 0Joined: Feb 2015Reputation: 0 #6 A lot of people forget that not every client wants to pay for updates on scripts.

i have a few codeigniter projects out there, with greedy clients and yeah, they are running on an old version

and nobody will update it, when they don't want to pay. That's the hard reality.



But still, good work for updating, much appreciate it. Find Reply

mtvee





Newbie

Threads: 1

Joined: May 2015

Reputation: Posts: 9Threads: 1Joined: May 2015Reputation: 0 #7 Just a thanks for keeping the 2 branch updated! Find Reply