

Security patch recommended for all versions of Orchard

建议所有版本的Orchard使用安全补丁

Background

背景

A non-persistent XSS vulnerability has been discovered by Tatsuya Sekiguchi of Hitachi Systems, Ltd. in the Orchard.Comments module that is distributed with the core distribution of the CMS. The module could in some circumstances let an external website render custom scripts on an Orchard website. This vulnerability might ultimately be used to gather your credentials if you further authenticate on the targeted Orchard website.

Hitachi Systems，Ltd。的Tatsuya Sekiguchi在Orchard.Comments模块中发现了一个非持久性XSS漏洞，该漏洞与CMS的核心版本一起分发。在某些情况下，该模块可以让外部网站在Orchard网站上呈现自定义脚本。如果您在目标Orchard网站上进一步进行身份验证，则此漏洞最终可能会用于收集您的凭据。

All released versions of Orchard are vulnerable and need to be patched immediately.

所有已发布的Orchard版本都很脆弱，需要立即修补。

We are releasing today (April 30, 2013) a new version 1.6.1 of Orchard 1.6 that has the patch in place. This new version is replacing the previously available download. If you are downloading Orchard 1.6.1 today, you do not need to take any additional steps. The latest 1.x development branch is already patched as well. We are also releasing patch files for each version of Orchard from 1.0 to 1.6 that can be applied to existing web sites.

我们今天（2013年4月30日）发布了Orchard 1.6的新版本1.6.1，它已经有了补丁。这个新版本正在取代以前可用的下载。如果您今天下载Orchard 1.6.1，则无需采取任何其他步骤。最新的1.x开发分支也已修补。我们还为每个版本的Orchard发布1.0到1.6的补丁文件，可以应用于现有的网站。

Mitigation

减轻

• If you don't use the Comments module in Orchard, you can simply disable it in the Modules section of the Dashboard.

• 如果您不在Orchard中使用“注释”模块，则只需在仪表板的“模块”部分中禁用它。 *

• If your theme doesn't render the Messages zone, you are also safe, even if the Comments module is activated.

• 如果您的主题不呈现消息区域，即使激活了注释模块，您也是安全的。 *

Action Required

需要采取的行动

Apply the patch for your version, update to Orchard 1.6.1, or update to the latest 1.x.

为您的版本应用补丁，更新到Orchard 1.6.1，或更新到最新的1.x.

Orchard 1.6.1: https://orchard.codeplex.com/releases/view/90325

Orchard 1.6.1：https://orchard.codeplex.com/releases/view/90325

For older versions of Orchard, we are releasing patch files that can be applied on top of a running instance of Orchard. The archive for each of these patches contains a Modules folder that has the right structure to be copied into the root directory of an Orchard site. If you are using a source version, you need to copy the contents of the zip file into src/Orchard.Web.

对于旧版本的Orchard，我们正在发布可以在正在运行的Orchard实例上应用的补丁文件。每个修补程序的存档都包含一个Modules文件夹，该文件夹具有要复制到Orchard站点根目录的正确结构。如果您使用的是源版本，则需要将zip文件的内容复制到src / Orchard.Web中。

• 1.6 patch: https://orchard.codeplex.com/downloads/get/671068

• 1.6补丁：https://orchard.codeplex.com/downloads/get/671068 *

• 1.5 patch: https://orchard.codeplex.com/downloads/get/671066

• 1.5补丁：https://orchard.codeplex.com/downloads/get/671066 *

• 1.4 patch: https://orchard.codeplex.com/downloads/get/671070

• 1.4补丁：https://orchard.codeplex.com/downloads/get/671070 *

• 1.3 patch: https://orchard.codeplex.com/downloads/get/671074

• 1.3补丁：https://orchard.codeplex.com/downloads/get/671074 *

• 1.2 patch: https://orchard.codeplex.com/downloads/get/671075

• 1.2补丁：https://orchard.codeplex.com/downloads/get/671075 *

• 1.1 patch: https://orchard.codeplex.com/downloads/get/671076

• 1.1补丁：https://orchard.codeplex.com/downloads/get/671076 *

• 1.0 patch: https://orchard.codeplex.com/downloads/get/671077

• 1.0补丁：https://orchard.codeplex.com/downloads/get/671077 *