Previous Item
v2.3.6 pulled for critical error!
Security Notice: Closing an Exponent Security Vulnerability
Next Item
Try a 'Fresh Fix' for 2016
After a failed attempt to get something under the tree for Christmas, we now release v2.3.7 specifically to address the fatal flaws within the pulled v2.3.6 release. These include:
- regression fix where all styles were stripped from rich text upon saving due to the recent security fix being too strong
- regression fix where an admin could possibly edit a super-admin user profile
- security fix where elFinder would allow an authenticated user to upload an xss script then execute it, CVE-ID #2015-8684
- regression fix where enabling the enhanced password hash strength would break all future logins due to stored hash field not being long enough to store the new hash (since v2.3.5)
- this only occurred on sites when upgrading from a version prior to v2.3.5, and then only when increasing 'password crypto depth' above 0
- regression fix where optional ajax paging would add 'time' parameter twice to calendar urls
- regression fix where optional ajax paging would add google analytics params to the urls
Additionally it includes all the fixes and features found in the still-born v2.3.6 (code named Candy Cane)! We recommend that all users with a v2.3.x installation, upgrade to this version (with the normal precautions before upgrading a production web site).
Of particular note about this version:
- adds additional security checking for XSS vulnerabilities - CVE-2015-8667
- adds support for PHP v7.x
- compatible with PHP v5.3.x, 5.4.x, 5.5.x, 5.6.x, and 7.0.x
Highlights in the version are::
- regression fix ALL reCaptcha responses always fail since v2.3.3
- adds new 'loading' animation (font icon) for boostrap/bootstrap3
- cleans up some bootstrap3 views, returns option of displaying extra-small buttons in sample theme
- adds new setting to bootstrap/bootstrap3 themes to limit menu item depth in navbars
- adds new setting to bootstrap3 theme to center main navbar (in addition to left & right alignment)
- adds new optional paypalExpress 'in-context' checkout experience
- adds two optional elFinder themes, also cleans up default theme
- better EAAS error and event record support (events now sent by date instead of by entry sequence)
- much better (optional) ajax paging support
- much better job of returning to previous pages
- adds new optional upgrade script to quickly clean up files database (adds new files, removes missing files)
- includes all fixes from v2.3.5 patches (#1 & #2)
You can find additional information about changes in the pre-release news post found here.