The Insane Visions team has issued an urgent security fix for AdaptCMS Pro/Lite 1.3. The security issue was a matter of SQL Injection vulnerability and they say that hashes were possible to get, but not passwords themselves. They recommend downloading and applying this patch immediately.

"For the first time with AdaptCMS, Insane Visions has issued an urgent security fix. This recent security hole was discovered by the group at Milw0rm. Upon hearing about this security hole we immediately fixed the problem in a matter of minutes and are now issuing this fix.

The Security Hole was related to the new "Check User" feature in AdaptCMS Lite 1.3 and AdaptCMS Pro 1.3. When signing up you would enter the username desired, once moving to the password field a box would appear saying whether the username was taken or not. The issue was the PHP that checks to see if the username is taken did not use any safe guards incase of SQL injection. The worst consequence is the stealing of the MD5 hash of a users password but NO passwords themselves were vulnerable to this problem.

This fix is simply one file which goes into the "includes/" folder. We recommend that all AdaptCMS Lite users upload this fixed file immediately. Thank you."

Links: AdaptCMS 1.3 Security Fix Released - Download
CMS Page: AdaptCMS Lite, AdaptCMS Pro

The Drupal team has announced the release of Drupal 6.5 and 5.11. Both releases fix "critical security vulnerabilities" and it is "strongly recommended" to upgrade Drupal 5 and 6 sites. Here's the announcement:

"Drupal 6.5 and Drupal 5.11, maintenance releases fixing problems reported using the bug tracking system, as well as critical security vulnerabilities, are now available for download.

Upgrading your existing Drupal 5 and 6 sites is strongly recommended. There are no new features in these releases. For more information about the Drupal 6.x release series, consult the Drupal 6.0 release announcement, more information on the 5.x releases can be found in Drupal 5.0 release announcement."

Link: Drupal 6.5 and 5.11 released
CMS Page: Drupal

It has been anounced that a new release of e107, 0.7.13, has been released. This is seemingly another small bug-update that affects "relatively few files" and also fixes a security vulnerability. They recommend to apply the update as soon as possible.

"A bit like buses, E107 releases sometimes come in pairs - usually because a bug which affects a fair number of people has crept in under the radar of those who regularly update from CVS. More to the point, on this occasion there's a fix for a security vulnerability which can potentially affect those with certain server configurations. Thanks to Fanat1k for finding this one.

Relatively few files have changed, so you're recommended to apply the full update as soon as possible.

You can get the new version here: http://e107.org/edownload.php"

Link: e107 0.7.13 Released
CMS Page: e107

A new "minor release" of TYPOlight has been released and is availble, TYPOlight 2.6.1. Here's the story:

"TYPOlight version 2.6.1 is available. The minor release introduces a new content element named "article alias", which allows you to insert the content of an article into another one. In addition, the newsletter module has been overworked and now supports sending personalized e-mails to registered members. The new version also includes some important bug fixes (especially for the built-in search engine), so it is recommended to update."

Feel free to checkout the TYPOlight CMS Page to see the new version in action.

Link: TYPOlight 2.6.1 Released
CMS Page: TYPOlight

The MiaCMS team has released a very imporant security patch, MiaCMS 4.6.5 Security Patch 1. This Patch fixes serious SQL injection issues found in MiaCMS. They "strongly recommend" that all users update there copy of MiaCMS as soon as possible. Here's the scoop:

"As you may or may not be aware, within the last day or two there has been a MiaCMS SQL injection security report making rounds on the web.  We have taken time to carefully review the report and wanted to make you aware of our findings.  The report can be found here for reference - http://secunia.com/advisories/31584/.

The reported exploits claim that input passed to the "id" parameter in index.php (when "option" is set to "com_content" and "task" to "view", "category", or "blogsection") is not properly sanitized before being used in SQL queries.  The report is accurate and this problem is due to incorrect sanitization of the $id variable within the mod_socialbits.php file of the Socialbits module.  We have corrected the issue and released a patch for 4.6.5 called "MiaCMS_v4.6.5_SecurityPatch_1".  The patch file can be found on our main project downloads page (http://code.google.com/p/miacms/downloads/list).

It is strongly recommended that all users apply this update to their MiaCMS installation.  There are upgrade instructions contained within the zip file.  Thank you for your patience and understanding. 4.6.5"

Link: MiaCMS 4.6.5 Security Patch 1 Released
CMS Page: MiaCMS

e107 has announced a new release of their CMS, 0.7.12. The new release contains a few security updates as well as many bug fixes. Here's the details:

"The newest build of e107 has finally been released. No it's not a 0.8 release, but another in the 0.7.x tree.

This version builds upon the proven stability of the 0.7 tree by adding a slew of bugfixes.
Yes, there is a few security updates, so you will want to upgrade as soon as possible!

For those of you with critical production systems, please wait a few days for any problems that are reported with the new version, you never know what I may have messed up in creating the builds

You can get the new version here: http://e107.org/edownload.php"

Link: e107 0.7.12 Released
CMS Page: e107

It's been announced that Drupal 6.4 and 5.10 have been released, both mainteance releases fixing bug and "critical security vulnerabilities". As expected, they "strongly" recommend that any Drupal users upgrade to the new versions.

"Drupal 6.4 and Drupal 5.10, maintenance releases fixing problems reported using the bug tracking system, as well as critical security vulnerabilities, are now available for download.

Upgrading your existing Drupal 5 and 6 sites is strongly recommended. There are no new features in these releases. For more information about the Drupal 6.x release series, consult the Drupal 6.0 release announcement, more information on the 5.x releases can be found in Drupal 5.0 release announcement."

Link: Drupal 6.4 and 5.10 released
CMS Page: Drupal

The developer team from PHP-Fusion has announced that PHP-Fusion Core 7 Edition has been released. The new version features better security, user field systems and more. Here's part of the announcements:

"On behalf of the dev team I am proud to announce the official release of PHP-Fusion Core 7 Edition. After almost 8 months of hard work we believe v7 finally takes PHP-Fusion to it's next evolution. Features include better security, a much more flexible theme engine, modular bbcode and user field systems and much much more. For details please refer to our Feature Comparison page. 
 
V7 can be installed afresh or you can upgrade from v6.01. Please read the included read for full instructions before installing or upgrading. Note that v6 mods, infusions and themes are NOT compatible with v7, you must either update or remove such items BEFORE upgrading to v7. "

We'll have the new PHP-Fusion up shortly, keep an eye out for it at the PHP-Fusion CMS Page.

Link: PHP-Fusion 7 Released
CMS Page: PHP-Fusion

A new version of CMS Made Simple has been announced, 1.4.1 "Spring Garden". The new release is "largely a bugfix release" with mostly minor issues fixed. Here's a snippet of the changes in 1.4.1:

"Version 1.4.1 “Spring Garden”
—————————–
- Fixes an issue with the “name” parameter being broken on the stylesheet tag
- Fixes an issue with changing group permissons on windows hosts
- Fixes an issue with group assignment
- Fixes a hard-coded table prefix in the css associations stuff
- Fixes a problem with REQUEST_URI not being set on IIS hosts (stupid windows)
- TinyMCE: Fixed problem with cmslinker not allowing to select parentpages
Fixed a small bug which could cause invalid relative urls to be generated
- A couple more small things…"

Don't forget to checkout the CMS Made Simple CMS Page to see the new version in action.

Link: CMS Made Simple 1.4.1 Released
CMS Page: CMS Made Simple

It's been announced that CMS Made Simple 1.4 (codenamed "Jamaica") has been released. Apparently the 1.4 beta did well with a low amount of bugs reported and now 1.4 "Jamaica" is available, here's the story:

"Many people have donated hours of their valuable time to develop, design, manage and test this release, it is a real testament to the community that CMS has grown. Lets keep it going people, great work by everybody involved."

You can download the new version below, but don't forget to checkout the demo of CMS Made Simple at it's CMS Page, which now has 1.4 online.

Link: Download CMS Made Simple 1.4