Magnolia 5.3.16 fixes a JCR Query bug, potential security vulnerabilities and introduces the ability to disable drag and drop by configuration. Maven dependency management has also been improved.
What has changed?
An aggregated changelog for 5.3.16 contains all the changes.
This release is a recommended update for all users of Magnolia 5.3.
Drag and drop can be disabled
You can disable drag and drop operations in workbenches.
To control drag and drop operations in an app, the
dragAndDrop property has been added to the class
info.magnolia.ui.workbench.definition.ConfiguredWorkbenchDefinition . The default value is
true, set it to
false to disable drag and drop.
Maven dependency management for 3rd party libraries improved
Maven dependency management for some 3rd party libraries such as commons-lang libraries has been cleaned up and improved. The 3rd-party module version has not changed. However, since we had to change the POM files on Magnolia modules, some modules got a new version and are part of this release.
Magnolia CAS module dependency updated
Magnolia CAS module now comes with
. This update provides the correction for a critical security vulnerability in several Jasig CAS clients that allows URL parameter injection due to improper URL encoding at the back-channel ticket validation step of the CAS protocol. MGNLCAS-22.
- Fixed a JCR query bug connected with escaping HTML in the legacy JCR Queries app of the admininterface-legacy module. MGNLADMLEG-65
- For Irish surnames like Ó Súilleabháin, their anglicized forms (i.e. O'Sullivan) are now correctly escaped in user names. MAGNOLIA-6696
- Anonymous users are now denied access to to legacy ckEditor resources closing a potential DOS vulnerability in the CK Editor upload field. MGNLADMLEG-67.
This release includes the following new module versions:
- Activation 5.3.6
- AdminInterface (Legacy) 5.2.6
- CAS Connector 1.3.1
- Community Edition 5.3.16
- Enterprise Edition 5.3.16
- LDAP 1.7
- Magnolia 5.3.16
- Observation 2.0.5
- Personalization 1.1.6
- REST 1.1.2
- REST Client 1.0.9
- Transactional Activation 2.2.4
- UI 5.3.16
- Workflow 5.4.9
The Magnolia team would also like to thank everyone who reported issues, contributed patches, translated modules or simply commented on issues for this release. Your continued interest helps us make Magnolia better. Special thanks go to: Thim Anneessens, Nils Breunese, Patrick Lötscher, Michaël Van Der Mark Frank Sommer.
How to update from earlier versions
- Generally, follow the standard update procedure.
- Please check Important changes for Magnolia 5.2 and 5.3 users.
- Please check how to update from Magnolia 5.2 and earlier if required.
- Please check how to update from Magnolia 4.5 and earlier if required.
Important changes for Magnolia 5.2 and 5.3 users
If you had STK installed
If you continue to work with STK, use the new
magnolia-enterprise-pro-stk-bundle as a basis for your project. It includes Enterprise Pro, STK and the old demo project. You get all STK functionality out of the box. Exclude the demo-project if it's in your way.
In order to enable getting an HTML excerpt in a query result, you should update the configuration files of your Jackrabbit instances. Add the two
<param/> directives within your
Add the log configuration for org.reflections
How to update from Magnolia 5.2 and earlier
How to update from Magnolia 4.5 and earlier
Magnolia 5.3.16 ee-bundle may require you to allocate more memory the Java Virtual Machine (JVM). If you see a
java.lang.OutOfMemoryError in the startup log or the system stops responding during installation, increase the Java heap size. The default maximum heap size is 512M. Try a higher amount such as 1024M. We are working on uncovering the root cause for the increased memory need; see Java out of memory.
This release – and the imaging module in particular – is know to have some issues with image generation depending on the java version used (e.g. Mac OS X and Java 8 or Linux and OpenJDK 1.7). We therefore provide version
3.1.5-java7 of the imaging module with this release. As it is not binary compatible to previous versions it is not bundled by default.
Imaging module version incompatibilities with some OS / Java version combinations
Magnolia 5.3.16 contains Imaging module version 3.1.5. This module version has known issues in certain OS and Java environments. For example, if you use it on OSX with Java 8 the module creates images with wrong colors.
Use a special version of the Imaging module: 3.1.5-java7 if you are on:
- Java 8 on OS X
- Java 7 OpenJDK on Linux. (Java 7 from Oracle on Linux can use the regular imaging-module)
For further information please see:
Installing magnolia-module-imaging 3.1.5-java7
magnolia-module-imaging 3.1.5-java7 is not bundled by default. You have to install it manually.
Option 1: Maven
Maven is the easiest way to install the module. Add the following dependency to your bundle:
Option 2: Download and install the files
Pre-built jars are also available for download.
- magnolia-module-imaging-3.1.5-java7-bundle.zip, .tar.gz
Extract the file magnolia-module-imaging-3.1.5-java7.zip and add all its content to the
WEB-INF/libdirectory of your webapps.
Add the jar to the WEB-INF/lib directory of your webapps.
For further information please see installing a module.