Guest Alexander Ebert Posted March 17, 2022 Posted March 17, 2022 We have just released new versions of our products: WoltLab Suite 5.4.15 WoltLab Suite 5.3.21 WoltLab Suite 5.2.20 WoltLab Suite 3.1.28 Stability releases (third part of the version number, also known as "patch releases") aim to solve existing problems in the current version. Like every stability release, they do not introduce new features. It is strongly recommended to apply these updates. [HEADING=1]Security Notice[/HEADING] It has been brought to our attention that in the log of cronjobs, there may be an unintended execution of HTML in case of an error. This can occur if, for example, a cronjob retrieves data from an HTML page and, in the event of an error, stores HTML code as an error message. To our knowledge, this vulnerability cannot be deliberately exploited by an attacker. Many thanks to @SoftCreatR for bringing this issue to our attention. We have also received reports that a so-called "Self-XSS" attack can occur when uploading file attachments with specially crafted file names. This can only be exploited when running Linux and macOS, Windows does not allow the special characters in the filename. The impact is limited to the user themselves at the time of upload, there is no further impact. This vulnerability can never be exploited to attack other users or visitors of the site. All WoltLab Cloud customers have already been patched to address these issues [HEADING=1]How to Apply Updates[/HEADING] Open your Administration Control Panel and navigate to "Configuration > Packages > List Packages". Please click on the button "Search for Updates" located in the right corner above the package list. [HEADING=1]Notable Changes[/HEADING] The list below includes only significant changes, minor fixes or typos are generally left out. [HEADING=2]WoltLab Suite Calendar[/HEADING] When switching to another month, the filter by label was discarded. 5.4 Label groups could be set only for the first levels of categories. 5.4 [HEADING=2]WoltLab Suite Filebase[/HEADING] Label groups could be set only for the first levels of categories. 5.4 An incorrect message was generated when accessing a file that does not exist. 5.4 5.3 Deactivated versions can now be viewed by the ”other authors” of a file. 5.4 [HEADING=2]WoltLab Suite Forum[/HEADING] Creating direct links to a filtered list of topics could generate invalid links in rare cases. 5.4 [HEADING=2]WoltLab Suite Core: Importer[/HEADING] vBulletin 5.x The import of Argon2 passwords has been corrected. [HEADING=2]WoltLab Suite Core[/HEADING] (SECURITY): HTML in the error message of failed cronjobs is now correctly masked in the cronjob log. 5.4 5.3 5.2 3.1 (SECURITY): HTML is now correctly masked in the filename display while uploading a file attachment. After the upload is finished and when editing a content (e.g. post) the behavior was already correct. 5.4 5.3 5.2 3.1 Mentioning user groups with non-Latin letters was corrected. 5.4 The implicit expansion of content from blocked users when accessing them via a direct link, introduced in WoltLab Suite 5.4.14, was reverted because it had too many unwanted side effects and caused confusion among users. 5.4 Links inserted into the editor on iOS and Android no longer end up at the start of the text. 5.4 Fixed IPv4 address detection with the StopForumSpam integration. 5.4 5.3 Empty user profile fields of labeledUrl type are no longer displayed in the profile. 5.4 Fixed processing of search terms in quotes when using the MySQL-based search. 5.4 The rich embeds now ignore all non-HTTP links instead of trying to retrieve them unsuccessfully. 5.4 Unknown encodings of the retrieved web page no longer cause the rich embeds to log an error message. 5.4 Label groups could be set only for the first levels of categories. 5.4 Improved the user experience when selecting objects (e.g. a forum section) to configure a menu item. 5.4 Marking quotable text on Android / Chrome Mobile no longer causes the entire page to be marked when hovering over the quote menu. 5.4 When submitting a form with Incorrect values entered, the correct tab was not opened automatically. 5.4 Searching in profile fields with decimal numbers now normalizes the user‘s localized search input. 5.4 Invalid input error message for profile fields for integers has been improved. 5.4 Consideration of words shorter than the minimum length for inclusion in the MySQL search index is no longer forced. Without this change the search results were filtered out in which the words occur alone and only results were returned in which these words appear as part of a word. 5.4 For developers: Bug fixes to the dev tools. 5.4 For developers: Disabled input fields for date selection were not initialized correctly. 5.4 For developers: The escape key in dialogs now triggers the callback for onBeforeClose. 5.4 For developers: Error handling for incorrect $limit and $offset parameters in ->prepare() and ->prepareStatement() has been improved. 5.4 5.3 Continue reading... Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.