News from Habari

Habari 0.6.5 Security Release


A very minor security-related issue was discovered this week that allowed an attacker to reset the password of any user_id he was able to guess, triggering a reset email to the affected user. While we're unaware of any instances of this occurring in the wild and at no time was the attacker able to obtain the user's password, we've made a simple fix and packaged up the 0.6.5 release.

All users of the 0.6.4 release are encouraged to upgrade immediately to avoid this inconvenience.

You can download a zip file or check out the tag directly from Subversion.

The Habari Project is incredibly security-conscious and relies on the community to quickly report any possible security exploits they find so we can evaluate and correct them as quickly as possible. If you believe you've found such an exploit, please contact security@habariproject.org with details!