Elgg 1.8.5 is ready for download. This release contains three important security enhancements, so be sure to upgrade as soon as possible to keep your network safe.
The first security fix prevents a potential XSS attack against users who click a specially crafted URL. Credit goes to Yang Dingjie of Qualys, Inc. for finding and reporting this bug. The second fix closes a loophole which allowed users to create a new account without requiring validation. Thanks to Paweł Sroka of Vazco.eu for reporting this issue. The third fix addresses an access bug that could inadvertently reveal private entities to users who wouldn’t otherwise have access. Fortunately this bug is not exploitable for most Elgg installations. Thanks to Mike Hedman for catching that one.
The following notable bugfixes were made:
- For those networks that have enabled the Twitter API plugin, new users are forwarded to the correct page after creating an account with Twitter.
- PDF files display in the browser instead of downloading directly to users computers.
- Fixed some upgrade issues related to the system log.
The full list can always be found in the CHANGES.txt file. Download Elgg 1.8.5 and upgrade as soon as possible to take advantage of the security improvements and bug fixes.
There were a total of 6 contributing developers for this release:
- Brett Profitt
- Evan Winslow
- Steve Clay
- Jeroen Dalsem
- Jerome Bakker