Elgg 1.8.17
1 January 2014
Elgg version 1.8.17 is now available (security release).
Upgrading to Elgg 1.8.17
Elgg 1.8.17 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply Elgg updates as new versions are released, or use Installatron's Clone feature to duplicate an existing Elgg install to test the 1.8.17 upgrade prior to applying it live. Get started managing your Elgg installations with Installatron
What's New in Elgg 1.8.17
Elgg 1.8.17 has been released to address a few critical security issues.
Security:
- A specially-crafted request can return the contents of sensitive files.
- A reflected XSS attack is possible against 1.8 systems.
- The cryptographic key used for various purposes may have been generated with weak entropy, particularly on Windows.
Other bug fixes include:
- URLs with non-ASCII usernames again work
- Floated images are now properly cleared in content areas
- The activity page title now matches the document title
- Search again supports multiple comments on the same entity
- Group member listings are ordered by name
- Blog archive sidebar now reverse chronological
- URLs with matching parens can now be auto-linked
- Log browser links for users now work
- Disabling over 50 objects should no longer result in an infinite loop
- The system_log table can now store IPv6 addresses
- Radio/checkbox inputs no longer have border radius (for IE10)
- Htmlawed was upgraded to 1.1.16
- List functions: no need to specify pagination for unlimited queries
- User picker: the Only Friends checkbox again works
- Group bookmarklet no longer shown to non-members
- Widget reordering fixed when moving across columns
- Web services auth_gettoken() now accepts email address
- Refuse to deactivate plugins needed as dependencies