Difference between revisions of "Freeside:2.3.5:Changelog"

From Freeside
Jump to: navigation, search
(Created page with "=Notes= This is the changelog for the 2.3.5 release. For a more detailed, raw log of changes, see [http://freeside.biz/gitweb/?p=freeside.git;a=shortlog;h=refs/heads/FREESIDE_2…")
 
(Misc)
 
(5 intermediate revisions by 2 users not shown)
Line 8: Line 8:
  
 
* Company name and address in the backoffice -- possibly high impact if running self-service and allowing address changes, end-customers might be able to XSS the browser of an employee
 
* Company name and address in the backoffice -- possibly high impact if running self-service and allowing address changes, end-customers might be able to XSS the browser of an employee
* Package definitions, billing events and phone devices in backoffice -- low impact, admins who can edit those things can already do many things worse than XSS employees)
+
* Package definitions, billing events and phone devices in backoffice -- low impact, admins who can edit those things can already do many things worse than XSS other employees
* View usage and change package in self-service -- low impact. end-customers XSSing themselves is not really a problem)
+
* View usage and change package in self-service -- low impact. end-customers XSSing themselves is not really a problem
  
 
= Billing events =
 
= Billing events =
Line 19: Line 19:
  
 
* Integrated ticketing updated to [http://bestpractical.com/rt RT] version 3.8.15
 
* Integrated ticketing updated to [http://bestpractical.com/rt RT] version 3.8.15
 +
 +
= WISP =
 +
 +
* Mac addresses for svc_broadband now show on the customer package screen
  
 
= RADIUS =
 
= RADIUS =
Line 26: Line 30:
 
= VoIP =
 
= VoIP =
  
* Add Windstream CDR format
+
* New Windstream CDR format
  
 
= Misc =
 
= Misc =
  
* The SQL injection reported in the [http://www.securityfocus.com/archive/1/523430/30/0/threaded Freeside SelfService CGI|API 2.3.3 - Multiple Vulnerabilities] advistory was investigated and determined to be incorrect.  Freeside is not vulnerable to an SQL injection via self-service.
+
* The SQL injection reported in the [http://www.securityfocus.com/archive/1/523430/30/0/threaded Freeside SelfService CGI|API 2.3.3 - Multiple Vulnerabilities] advisory was investigated and determined to be incorrect.  Freeside is not vulnerable to an SQL injection via self-service.

Latest revision as of 09:01, 22 April 2013

Notes

This is the changelog for the 2.3.5 release.

For a more detailed, raw log of changes, see the git log

XSS (Cross-site scripting) issues

  • Company name and address in the backoffice -- possibly high impact if running self-service and allowing address changes, end-customers might be able to XSS the browser of an employee
  • Package definitions, billing events and phone devices in backoffice -- low impact, admins who can edit those things can already do many things worse than XSS other employees
  • View usage and change package in self-service -- low impact. end-customers XSSing themselves is not really a problem

Billing events

  • New conditions: "Package Reason Type" / "Package Not Reason Type"
  • New actions: "Unsuspend all of this customer's suspended packages" / "Unsuspend this package"

Ticketing

  • Integrated ticketing updated to RT version 3.8.15

WISP

  • Mac addresses for svc_broadband now show on the customer package screen

RADIUS

  • Overage billing with per-day caps

VoIP

  • New Windstream CDR format

Misc