|Submitted||20 November 2012|
Fixes security issue discovered by Timothy D. Morgan. Forgotten password challenges were guessable based on users last login and email address. Tokens are now generated based on a HMAC of login time and email address using a salt and secret key specifically for these tokens. Reference: CVE-2012-5618.
This vulnerability can be fixed by upgrading to 2.6.1. An upgrade to our this latest version is highly recommended.
|Download (ZIP; click to download)||md5|
|Ushahidi v2.6 -> 2.6.1||6a1ef328dce55dfa2218fe81d1269a18|
|Ushahidi v2.6 (full application)||75eec9678f04ad9245c1b267bca55980|
For users who cannot upgrade for whatever reasons, you can patch your install with the patches available below.
- Download and unzip (patch file).
- Upload and replace your current files in the folders that correspond to those in the patch.
|Patch for v2.6 and earlier||d4b3055ab60457155ae21231f3e286fc|