Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter 2.2.3 Released
#1

(This post was last modified: 07-14-2015, 07:17 AM by jlp.)

CodeIgniter 2.2.3 has been released today, and is a security release for the 2.x branch.


Removed a fallback to mysql_escape_string() in the 'mysql' database driver (escape_str() method) when there's no active database connection.

Since most have moved on to the development version of 3.0 from the GitHub repo, these fixes only affect sites powered by the legacy version. Sites running the development version of 3.x are unaffected as they have already been addressed in that version line. We felt that sites who were still running 2.x and potentially impacted by the vulnerability warranted an update so the release available for that version line is secure.

You can download v2.2.3 now, and we encourage you to read the full changelog.
James Parry
Project Lead
Reply
#2

When will launched the next version of Codeigniter?
Reply
#3

Thank you James. We have still many websites running under CI 2.x and it's good to know that we're still covered against potential vulnerabilities.
We appreciate it a lot. Thank you very much again.
Reply
#4

I really appreciate your efforts
Reply
#5

give them some time with the next version, they just recently released 3.0.
"I reject your reality and substitute my own" - Adam Savage, M5 Inc.
Reply
#6

Thanks for release!
Reply
#7

(07-14-2015, 07:16 AM)jlp Wrote: CodeIgniter 2.2.3 has been released today, and is a security release for the 2.x branch.


Removed a fallback to mysql_escape_string() in the 'mysql' database driver (escape_str() method) when there's no active database connection.

Since most have moved on to the development version of 3.0 from the GitHub repo, these fixes only affect sites powered by the legacy version. Sites running the development version of 3.x are unaffected as they have already been addressed in that version line. We felt that sites who were still running 2.x and potentially impacted by the vulnerability warranted an update so the release available for that version line is secure.

You can download v2.2.3 now, and we encourage you to read the full changelog.

Thank you so much, I have a few CI 2 sites which I have not had time to upgrade to CI 3 yet, this is great !
Reply
#8

Just a heads up, this update worked fine on our local dev machines, but when pushed to our live server hosed everything up. We are seeing the following error and not sure exactly why at the moment:

"Message:  mysql_real_escape_string() expects parameter 2 to be resource, boolean given"

We are running the latest versions of HHVM and MariaDB on both our dev and live machines. If anyone has any ideas, I'm all ears...if we determine the problem, I will post back here.
Reply
#9

(07-16-2015, 10:09 AM)kevindeleon Wrote: Just a heads up, this update worked fine on our local dev machines, but when pushed to our live server hosed everything up. We are seeing the following error and not sure exactly why at the moment:

"Message:  mysql_real_escape_string() expects parameter 2 to be resource, boolean given"

We are running the latest versions of HHVM and MariaDB on both our dev and live machines. If anyone has any ideas, I'm all ears...if we determine the problem, I will post back here.

This means that your database connection is not yet initialized at the time you're escaping something.

In fact, the only change in the 2.2.3 release is to require an active connection while escaping variables with the 'mysql' driver. Getting that error message means that you were previously vulnerable to charset-based SQL injection attacks.
Reply
#10

Hello !

Is it possible to know what are the modified files only ?
Reply




Theme © iAndrew 2016 - Forum software by © MyBB