Current location

narf Source control manager Git

diff options
authorChristopher Allan Webber <>2015-12-20 09:53:25 -0600
committerChristopher Allan Webber <>2015-12-20 09:53:25 -0600
commit9b9c04e6ac86ad6c8a679ba46ad75c45bd19388b (patch)
parent86ee2d1a0e9057e26add65807191fc28b0eec568 (diff)
0.8.1 release notesv0.8.1
1 files changed, 53 insertions, 0 deletions
diff --git a/docs/source/siteadmin/relnotes.rst b/docs/source/siteadmin/relnotes.rst
index 81c5e4a2..d177961e 100644
--- a/docs/source/siteadmin/relnotes.rst
+++ b/docs/source/siteadmin/relnotes.rst
@@ -39,6 +39,59 @@ carefully, or at least skim over it.
git remote set-url origin git://
+This release is a security and bugfix release. We recommend you upgrade as
+soon as possible.
+**Do this to upgrade**
+0. If you haven't already, switch the git remote URL:
+ ``git remote set-url origin git://``
+1. Update to the latest release. If checked out from git, run:
+ ``git fetch && git checkout -q v0.8.1``
+2. Run
+ ``./ && ./configure && make``
+3. Also run
+ ``./bin/python develop --upgrade && ./bin/gmg dbupdate``
+(Please check intermediate release steps as well if not upgrading from
+Most importantly, there is an **important security fix**:
+Quoting here a portion of the
+`release blogpost <>`_::
+ We have had a security problem in our OAuth implementation reported to
+ us privately and have taken steps to address it. The security problem
+ effects all 0.5.0 versions of GNU MediaGoblin. I have created a patch
+ for this and released a minor version 0.8.1. It's strongly advised
+ that everyone upgrade as soon as they can.
+ In order to exploit the security issue, an attacker must have had
+ access to a logged in session to your GNU MediaGoblin account. If you
+ have kept your username and password secret, logging in only over
+ HTTPS and you've not left yourself logged in on publicly accessible
+ computers, you should be safe. However it's still advised all users
+ take the following precautions, listed below.
+ Users should check their authorized clients. Any client which looks
+ unfamiliar to you, you should deauthorize. To check this:
+ 1) Log in to the GNU MediaGoblin instance
+ 2) Click the drop down arrow in the upper right
+ 3) Click "Change account settings"
+ 4) At the bottom click the "Deauthorize applications" link
+ If you are unsure of any of these, click "Deauthorize".
+There are other bugfixes, but they are fairly minor.