Magnolia 5.7 reached extended end of life on May 31, 2022. Support for this branch is limited, see End-of-life policy. Please note that to cover the extra maintenance effort, this EEoL period is a paid extension in the life of the branch. Customers who opt for the extended maintenance will need a new license key to run future versions of Magnolia 5.7. If you have any questions or to subscribe to the extended maintenance, please get in touch with your local contact at Magnolia.
Magnolia CORE 5.7.11 is a bug-fixing and security release that delivers the following:
Login via GET disabled by default
Logging in with query parameters using the GET method is now disabled by default. Trying to do so results in a 401 Unauthorized error.
To allow GET or other HTTP methods, add them as a list to info.magnolia.cms.security.auth.login.FormLogin#allowedMethods. See this configuration as an example.
Enable other methods on non-production systems only.
MAGNOLIA-8120 (restricted access)
Default path-based locking in Publishing module
With Publishing module 1.1.10, path-based locking has become the default locking mechanism. Previously, publishing occasionally failed while nodes remained locked on the public instance (EEPUBLISH-28).
Node-based locking is still available for compatibility reasons. See Known issues: Cannot publish content with path-based locking.
Third-party library updates
This release comes with the following third-party library updates to fix some security and compatibility issues:
- PDFBox updated to 2.0.24 (BUILD-475).
Preflight and XmpBox (two subprojects of PDFBox) updated to 2.0.24 (BUILD-476).
- RESTEasy, Jackson Databind and JAXB Runtime updated to 3.15.1.Final, 2.11.1 and 2.3.3-b02 respectively (BUILD-464).
- Tika updated to 1.26 (BUILD-450).
- XStream updated to 1.4.17 (BUILD-470).
We keep the details of security fixes private in line with our security policy. Contact our Support team if you need more information.
Notable bug fixes
All siblings of a published node now appear in the same order as on the author instance at the time of approving publication. To disable such ordering of sibling nodes, set
/modules/publishing-core/config@orderSiblingstofalse(PUBLISHING-82).This default behavior does not take into account the order at any other point in time (such as the time of creating the published version).
- Synchronization no longer fails when you move or rename a node. Instead, synchronization is completed before a log warning displays all nodes that could not be synchronized (MGNLSYNC-58).
- To better handle dependency problems and runtime exceptions (MAGNOLIA-6442):
- In
info.magnolia.objectfactory.guice.GuiceUtils, thehasExplicitBindingFor()method checksInjectorfor null before retrieving an explicit binding key. - In
info.magnolia.objectfactory.guice.GuiceComponentProviderBuilder, the log error triggered when a module configuration fails to load now catchesThrowableinstead ofCreationException.
- In
- When you restore a previous version of a page, you also restore that version’s activation status (MAGNOLIA-7975).
Security advisory
We have fixed an XSS vulnerability with this release. We keep the details private in line with our security policy. Contact our Support team if you need more information.
Others
If you are upgrading from an earlier version, read Upgrading to Magnolia 5.7.x first and check the Known issues section on the page.
Changelog
See the 5.7.11 changelog for all the changes.
Updated modules
- Community Edition 5.7.11
- Enterprise Edition 5.7.11
- Magnolia 5.7.11
- Publishing 1.1.10
- Publishing Transactional 1.1
- REST Framework 2.1.7
- Synchronization 1.9.2
- Third-party library BOM 5.7.10
- UI 5.7.11
Acknowledgements
The Magnolia team would also like to thank everyone who reported issues, contributed patches or simply commented on issues for this release. Your continued interest helps us make Magnolia better. Special thanks go to Thomas Duffey, Fabrizio Giustina, Thomas Martin, CysNET Software, Frank Sommer and Simon Tourville.
Overview
Content Tools