|author||Christopher Allan Webber <email@example.com>||2015-12-20 09:53:25 -0600|
|committer||Christopher Allan Webber <firstname.lastname@example.org>||2015-12-20 09:53:25 -0600|
0.8.1 release notesv0.8.1
1 files changed, 53 insertions, 0 deletions
diff --git a/docs/source/siteadmin/relnotes.rst b/docs/source/siteadmin/relnotes.rst
index 81c5e4a2..d177961e 100644
@@ -39,6 +39,59 @@ carefully, or at least skim over it.
git remote set-url origin git://git.savannah.gnu.org/mediagoblin.git
+This release is a security and bugfix release. We recommend you upgrade as
+soon as possible.
+**Do this to upgrade**
+0. If you haven't already, switch the git remote URL:
+ ``git remote set-url origin git://git.savannah.gnu.org/mediagoblin.git``
+1. Update to the latest release. If checked out from git, run:
+ ``git fetch && git checkout -q v0.8.1``
+ ``./bootstrap.sh && ./configure && make``
+3. Also run
+ ``./bin/python setup.py develop --upgrade && ./bin/gmg dbupdate``
+(Please check intermediate release steps as well if not upgrading from
+Most importantly, there is an **important security fix**:
+Quoting here a portion of the
+`release blogpost <http://mediagoblin.org/news/mediagoblin-0.8.1-security-release.html>`_::
+ We have had a security problem in our OAuth implementation reported to
+ us privately and have taken steps to address it. The security problem
+ effects all 0.5.0 versions of GNU MediaGoblin. I have created a patch
+ for this and released a minor version 0.8.1. It's strongly advised
+ that everyone upgrade as soon as they can.
+ In order to exploit the security issue, an attacker must have had
+ access to a logged in session to your GNU MediaGoblin account. If you
+ have kept your username and password secret, logging in only over
+ HTTPS and you've not left yourself logged in on publicly accessible
+ computers, you should be safe. However it's still advised all users
+ take the following precautions, listed below.
+ Users should check their authorized clients. Any client which looks
+ unfamiliar to you, you should deauthorize. To check this:
+ 1) Log in to the GNU MediaGoblin instance
+ 2) Click the drop down arrow in the upper right
+ 3) Click "Change account settings"
+ 4) At the bottom click the "Deauthorize applications" link
+ If you are unsure of any of these, click "Deauthorize".
+There are other bugfixes, but they are fairly minor.