RSS

Bloggers

Brett Profitt
All posts
Twitter

Cash Costello
All posts
Twitter

Evan Winslow
All posts
Twitter

Juho Jaakkola
All posts
Twitter

Matt Beckett
All posts
Twitter

Paweł Sroka
All posts
Twitter

Steve Clay
All posts
Twitter

Search

Blog tagcloud

    Jan
    01st
    by
    Steve Clay

    Elgg 1.8.17 and 1.7.20 Security Releases

    Elgg 1.8.17 and 1.7.20 have been released to address a few critical security issues. Be sure to upgrade immediately to protect your sites.

    • A specially-crafted request can return the contents of sensitive files.
    • A reflected XSS attack is possible against 1.8 systems.
    • The cryptographic key used for various purposes may have been generated with weak entropy, particularly on Windows.

    ​Thanks to Mike Kasper and an anonymous contributor for reporting these vulnerabilities to us privately via security@elgg.org.

    1.8.17 also includes tons of other fixes:

    • URLs with non-ASCII usernames again work
    • Floated images are now properly cleared in content areas
    • The activity page title now matches the document title
    • Search again supports multiple comments on the same entity
    • Group member listings are ordered by name
    • Blog archive sidebar now reverse chronological
    • URLs with matching parens can now be auto-linked
    • Log browser links for users now work
    • Disabling over 50 objects should no longer result in an infinite loop
    • The system_log table can now store IPv6 addresses
    • Radio/checkbox inputs no longer have border radius (for IE10)
    • Htmlawed was upgraded to 1.1.16
    • List functions: no need to specify pagination for unlimited queries
    • User picker: the Only Friends checkbox again works
    • Group bookmarklet no longer shown to non-members
    • Widget reordering fixed when moving across columns
    • Web services auth_gettoken() now accepts email address
    • Refuse to deactivate plugins needed as dependencies

    Thanks to all contributors who worked on these releases:

    • Brett Profitt
    • Cash Costello
    • Ed Lyons
    • Evan Winslow
    • Jeroen Dalsem
    • Jerome Bakker
    • Juho Jaakkola
    • Matt Beckett
    • Paweł Sroka
    • Sem
    • Steve Clay

    If you would like to contribute to an Elgg release, fork our repository at GitHub.