Difference between revisions of "Freeside:2.3.5:Changelog"
From Freeside
(→VoIP) |
(→Misc) |
||
| (4 intermediate revisions by 2 users not shown) | |||
| Line 8: | Line 8: | ||
* Company name and address in the backoffice -- possibly high impact if running self-service and allowing address changes, end-customers might be able to XSS the browser of an employee | * Company name and address in the backoffice -- possibly high impact if running self-service and allowing address changes, end-customers might be able to XSS the browser of an employee | ||
| − | * Package definitions, billing events and phone devices in backoffice -- low impact, admins who can edit those things can already do many things worse than XSS employees | + | * Package definitions, billing events and phone devices in backoffice -- low impact, admins who can edit those things can already do many things worse than XSS other employees |
| − | * View usage and change package in self-service -- low impact. end-customers XSSing themselves is not really a problem | + | * View usage and change package in self-service -- low impact. end-customers XSSing themselves is not really a problem |
= Billing events = | = Billing events = | ||
| Line 19: | Line 19: | ||
* Integrated ticketing updated to [http://bestpractical.com/rt RT] version 3.8.15 | * Integrated ticketing updated to [http://bestpractical.com/rt RT] version 3.8.15 | ||
| + | |||
| + | = WISP = | ||
| + | |||
| + | * Mac addresses for svc_broadband now show on the customer package screen | ||
= RADIUS = | = RADIUS = | ||
| Line 30: | Line 34: | ||
= Misc = | = Misc = | ||
| − | * The SQL injection reported in the [http://www.securityfocus.com/archive/1/523430/30/0/threaded Freeside SelfService CGI|API 2.3.3 - Multiple Vulnerabilities] | + | * The SQL injection reported in the [http://www.securityfocus.com/archive/1/523430/30/0/threaded Freeside SelfService CGI|API 2.3.3 - Multiple Vulnerabilities] advisory was investigated and determined to be incorrect. Freeside is not vulnerable to an SQL injection via self-service. |
Latest revision as of 09:01, 22 April 2013
Contents
Notes
This is the changelog for the 2.3.5 release.
For a more detailed, raw log of changes, see the git log
XSS (Cross-site scripting) issues
- Company name and address in the backoffice -- possibly high impact if running self-service and allowing address changes, end-customers might be able to XSS the browser of an employee
- Package definitions, billing events and phone devices in backoffice -- low impact, admins who can edit those things can already do many things worse than XSS other employees
- View usage and change package in self-service -- low impact. end-customers XSSing themselves is not really a problem
Billing events
- New conditions: "Package Reason Type" / "Package Not Reason Type"
- New actions: "Unsuspend all of this customer's suspended packages" / "Unsuspend this package"
Ticketing
- Integrated ticketing updated to RT version 3.8.15
WISP
- Mac addresses for svc_broadband now show on the customer package screen
RADIUS
- Overage billing with per-day caps
VoIP
- New Windstream CDR format
Misc
- The SQL injection reported in the Freeside SelfService CGI|API 2.3.3 - Multiple Vulnerabilities advisory was investigated and determined to be incorrect. Freeside is not vulnerable to an SQL injection via self-service.
