Revision as of 23:14, 11 November 2012

Notes

This is the changelog for the 2.3.5 release.

For a more detailed, raw log of changes, see the git log

Company name and address in the backoffice -- possibly high impact if running self-service and allowing address changes, end-customers might be able to XSS the browser of an employee
Package definitions, billing events and phone devices in backoffice -- low impact, admins who can edit those things can already do many things worse than XSS employees)
View usage and change package in self-service -- low impact. end-customers XSSing themselves is not really a problem)

New conditions: "Package Reason Type" / "Package Not Reason Type"
New actions: "Unsuspend all of this customer's suspended packages" / "Unsuspend this package"

The SQL injection reported in the Freeside SelfService CGI|API 2.3.3 - Multiple Vulnerabilities advistory was investigated and determined to be incorrect. Freeside is not vulnerable to an SQL injection via self-service.

@@ Line 26: / Line 26: @@
 = VoIP =
-* Add Windstream CDR format
+* New Windstream CDR format
 = Misc =
 * The SQL injection reported in the [http://www.securityfocus.com/archive/1/523430/30/0/threaded Freeside SelfService CGI|API 2.3.3 - Multiple Vulnerabilities] advistory was investigated and determined to be incorrect.  Freeside is not vulnerable to an SQL injection via self-service.