This is a maintenance & security patch release. The most notable chages are:
- Fix: Mail merge js error on Subpanels
- Fix: Warnings reported when cron.php is executed
- Fix: Calendar is displaying Closed (HELD|NOT HELD) Meetings when $show_completed is false - supplied by adamjakab
- Fix: Cannot import email when using Theme P
- Fix: 7.8 Upgrade returns Javascript:void(0) for new filter functionality
- Fix: Ability to clear Search returning Javascript error
- Fix: SMTP campaign sending issue
- Fix: Changes the capitalisation of the User Profile and Advanced tab in the edit view of the users profile.
- Missing ending </b>
- Clean up/ improve Mssql
This release includes several changes. Here is a list of the most important ones:
- Casting TableCell value to string
- Don't add csp-headers if none are required
- Fix double escaping of the decision attributes in the profiler
- fix Yaml parsing for very long quoted strings
- [BrowserKit] ignore invalid cookies expires date format
- [Cache] Fix class exists checks in PhpArrayAdapter
- [Cache] [PdoAdapter] Fix MySQL 1170 error (blob as primary key)
- [Cache] Fix tags expiration
- [Cache] Fix missing use statement in FilesystemAdapter
- [Cache] Using strpbrk() instead of strcspn() is faster
- [Config] Fix checking cache for non existing meta file
- [Console] Fix TableCell issues with decoration
- [Debug] Fix fatal error when changing ErrorHandler loggers if an exception is buffered
- [Debug] Workaround "null" $context
- [DependencyInjection] Fixed variadic method parameter in autowired classes
- [DI] Fix defaults overriding empty strings in AutowirePass
- [Doctrine Bridge] always check for all fields to be mapped
- [Doctrine Bridge] fix UniqueEntityValidator for composite object primary keys
- [Form] Fixed DateType format option for single text widget
- [FrameworkBundle] fixed custom domain for translations in php templates
- [FrameworkBundle] Execute the PhpDocExtractor earlier
- [FrameworkBundle] Dont wire "annotations.cached_reader" before removing passes
- [HttpKernel] Fix ArgumentValueResolver for arguments default null
- [HttpKernel] Give higher priority to adding request formats
- [Ldap] Ldap username case fix
- [PhpUnit] Blacklist DeprecationErrorHandler in stack traces
- [Process] Non ASCII characters disappearing during the escapeshellarg
- [PropertyInfo] Don't try to access a property thru a static method
- [PropertyAccess] Handle interfaces in the invalid argument exception
- [PropertyInfo] Exclude static methods form properties guessing
- [TwigBundle] do not lose already set method calls
- [Workflow] Fixed support of multiple transitions with the same name
- [Workflow] Added new validator to make sure each place has unique translation names
This release fixes several issues:
- Arbiters in pv1 should vote no in elections if they can see a healthy primary of equal or greater priority to the candidate.
- Add support for filter to listDatabases
- Inefficient I/O when read full DB (poor readahead)
- All JIRA issues closed
This release contains several enhancements and bug fixes:
- Configuration to allow unauthenticated users to see status page
- Added option to configure headers for all Elasticsearch requests
- Status page and API now include plugin version info
- Error notifications will auto-dismiss after a timeout
- Package repos are now based on major versions
- Plugins now have a home for their data
- Fixed blank notifications that were appearing in plugin apps like Sense
- In some circumstances, Visualization editor controls would collapse after applying updates. They will now remain expanded
- Better cleanup on package removal
- Fixed logging for package installs using SysV
- A more accurate description for the Kibana service
Redis 3.2.7 containes a security bug fix and several changes. Notable changes from 3.2.6 include:
- MIGRATE could incorrectly move keys between Redis Cluster nodes by turning keys with an expire set into persisting keys.
- Now Redis aliases the host and POST commands to QUIT, avoiding to process the remaining pipeline if there are pending commands.
- A ziplist bug that could cause data corruption, could crash the server and may also have security implications was fixed.
- Jemalloc upgraded to 4.4.0. The last version the 4.0 release.
This release contains several enhancements and bug fixes:
- Mapping: Only update DocumentMapper if field type changes
- Internal: Fix ShardInfo#toString
- Logging: The log message of changing max_thread_count
- Java API: Adds removed inQuery method alternative
This release includes several changes. Here is a list of the most important ones:
- [DoctrineBridge] always check for all fields to be mapped
- [PropertyAccess] Handle interfaces in the invalid argument exception
- [DI] Fix defaults overriding empty strings in AutowirePass
- [Debug] Workaround "null" $context
- [DependencyInjection] Fixed variadic method parameter in autowired classes
- [HttpKernel] Fix ArgumentValueResolver for arguments default null
- [HttpKernel] Give higher priority to adding request formats
- [PropertyInfo] Don't try to access a property thru a static method
- [PropertyInfo] Exclude static methods form properties guessing
- [Ldap] Ldap username case fix
- [Doctrine Bridge] fix UniqueEntityValidator for composite object primary keys
- [TwigBundle] do not lose already set method calls
- fix Yaml parsing for very long quoted strings
- Using strpbrk() instead of strcspn() is faster
This release includes several changes:
- Make error message for password reset form more generic
- When sharing autocomplete is disabled, also disable for the email field
- Add command to clean up invalid/expired remote storages
- Fix encryption key storage when using LDAP home folder rules
- Properly react on memcache errors
- Fix random normalizedPathCache log messages / garbage collection issues from PHP 7
- Properly deal with inconsistent LDAP/memcache or user/group manager responses
- Added configreport app which will help with better bug reports
- Fix syncing of file names with colon followed by a number
- Prevent empty user uid from LDAP
- Prevent repeated log messages when dealing with broken picture files
- Fix group-enable option in apps page when memcache is enabled
- Add AVMaxFileSize config option
- Reduce number of federated share requests when dealing with non-existing entries
- Remove obsolete legacy storage repair routine
- Fix broken remote avatar image in activities tab
- When grouping duplicate shares, sort by stime then id
- Make file upload post hooks consistent between chunking and non-chunking mode
- Fix wrong German translation in upload progress bar by using momentjs library
- Skip unavailable storages in background file scan instead of failing
- Update PHP 7.1 incompatibility warning
- Warning notification when uploading 4+ GB file in IE11
This release contains important security fixes:
- Use of AES ECB block cipher mode without IV for encrypting secrets (SECURITY-304 / CVE-2017-2598)
- Items could be created with same name as existing item (SECURITY-321 / CVE-2017-2599)
- Node monitor data could be viewed by low privilege users (SECURITY-343 / CVE-2017-2600)
- Possible cross-site scripting vulnerability in jQuery bundled with timeline widget (SECURITY-349 / CVE-2011-4969)
- Persisted cross-site scripting vulnerability in parameter names and descriptions (SECURITY-353 / CVE-2017-2601)
- Outdated jbcrypt version bundled with Jenkins (SECURITY-354 / CVE-2015-0886)
- Pipeline metadata files not blacklisted in agent-to-master security subsystem (SECURITY-358 / CVE-2017-2602)
- User data leak in disconnected agents' config.xml API (SECURITY-362 / CVE-2017-2603)
- Low privilege users were able to act on administrative monitors (SECURITY-371 / CVE-2017-2604)
- Re-key admin monitor leaves behind unencrypted credentials in upgraded installations (SECURITY-376 / CVE-2017-2605)
- Internal API allowed access to item names that should not be visible (SECURITY-380 / CVE-2017-2606)
- Persisted cross-site scripting vulnerability in console notes (SECURITY-382 / CVE-2017-2607)
- XStream remote code execution vulnerability (SECURITY-383 / CVE-2017-2608)
- Information disclosure vulnerability in search suggestions (SECURITY-385 / CVE-2017-2609)
- Persisted cross-site scripting vulnerability in search suggestions (SECURITY-388 / CVE-2017-2610)
- Insufficient permission check for periodic processes (SECURITY-389 / CVE-2017-2611)
- Low privilege users were able to override JDK download credentials (SECURITY-392 / CVE-2017-2612)
- User creation CSRF using GET by admins (SECURITY-406 / CVE-2017-2613)
This release only contains bug fixes, along with documentation and testing improvements. The following important issues are resolved:
- Stale dependencies passed to onDependencyRemoval() result in data loss on uninstallation
- Update Symfony components to ~2.8.16 This update was necessary in order to make Drupal 8 compatible with PHP 7.1.
- New JavaScript test methods have been added
- Postgres fail in Drupal\Tests\path\Kernel\Migrate\d6\MigrateUrlAliasTest
- Random test failure in DateRangeFieldTest
- Random fail in CopyFileTest
- Random Test Failure with "failed to open stream" for temporary://.htaccess
- Intermittent test fails in LocaleUpdateTest::testUpdateImportSourceRemote()
- UpdatePathTestBase tests randomly failing
This is a security release containing fixes to upgrade OpenSSl. Notable changes from 7.4.0 include:
- crypto: Ability to select cert store at runtime
- crypto: Use system CAs instead of using bundled ones
- deps: upgrade npm to 4.1.2
- deps: upgrade openssl sources to 1.0.2k, CVE-2017-3731, CVE-2016-7055, CVE-2017-3732
- doc: add basic documentation for WHATWG URL API
- process: add NODE_NO_WARNINGS environment variable
- url: allow use of URL with http.request and https.request
Andres
Sameer Naik
David Barranco
Bitnami Bot
Sameer Naik
David González