The PKP Development Team announces the release of OJS 2.3.6.
OJS 2.3.6 was released to address a security vulnerability affecting all versions of OJS between 2.2.1 and 2.3.5 (inclusive). The vulnerability affects file uploads to the "public" directory. See the issues marked "Critical" at http://pkp.sfu.ca/wiki/index.php/OJS_2.3.5_Recommended_Patches
for full details. We recommend that users running affected versions of OJS either patch their installations with the patches available at the link above or upgrade to the newest release as soon as possible. There have been reports of abuse of this vulnerability and we suggest that users check server logs to review access to the "public" directory, looking for requests to server-side executables such as PHP scripts within that directory.
OJS 2.3.6 also includes a number of minor bug fixes and modifications, also described at the above link.
PKP takes security very seriously and has established a solid track record, both for good coding practices and for rapid responses to the few issues that have arisen. The best way to stay informed about security issues is to subscribe to the recommended patches
page for your release of OJS.
For full release notes, please see http://pkp.sfu.ca/ojs/RELEASE-2.3.6
. OJS 2.3.6 can be downloaded at http://pkp.sfu.ca/ojs_download