Try a 'Fresh Fix' for 2016

Thursday, December 31, 2015 Tags: release, bugs

After a failed attempt to get something under the tree for Christmas, we now release v2.3.7 specifically to address the fatal flaws within the pulled v2.3.6 release.  These include:

  • regression fix where all styles were stripped from rich text upon saving due to the recent security fix being too strong
  • regression fix where an admin could possibly edit a super-admin user profile
  • security fix where elFinder would allow an authenticated user to upload an xss script then execute it, CVE-ID #2015-8684
  • regression fix where enabling the enhanced password hash strength would break all future logins due to stored hash field not being long enough to store the new hash (since v2.3.5)
    • this only occurred on sites when upgrading from a version prior to v2.3.5, and then only when increasing 'password crypto depth' above 0
  • regression fix where optional ajax paging would add 'time' parameter twice to calendar urls
  • ​regression fix where optional ajax paging would add google analytics params to the urls

Additionally it includes all the fixes and features found in the still-born v2.3.6 (code named Candy Cane)! We recommend that all users with a v2.3.x installation, upgrade to this version (with the normal precautions before upgrading a production web site). 

Of particular note about this version:

  • adds additional security checking for XSS vulnerabilities - CVE-2015-8667 
  • adds support for PHP v7.x 
    • compatible with PHP v5.3.x, 5.4.x, 5.5.x, 5.6.x, and 7.0.x

Highlights in the version are::

  • regression fix ALL reCaptcha responses always fail since v2.3.3
  • adds new 'loading' animation (font icon) for boostrap/bootstrap3
  • ​cleans up some bootstrap3 views, returns option of displaying extra-small buttons in sample theme
  • adds new setting to bootstrap/bootstrap3 themes to limit menu item depth in navbars
  • adds new setting to bootstrap3 theme to center main navbar (in addition to left & right alignment)
  • adds new optional paypalExpress 'in-context' checkout experience
  • adds two optional elFinder themes, also cleans up default theme
  • better EAAS error and event record support (events now sent by date instead of by entry sequence)
  • much better (optional) ajax paging support
  • much better job of returning to previous pages
  • adds new optional upgrade script to quickly clean up files database (adds new files, removes missing files)
  • includes all fixes from v2.3.5 patches (#1 & #2)

You can find additional information about changes in the pre-release news post found here.