Page tree
Skip to end of metadata
Go to start of metadata

Magnolia CORE 5.7.11 is a bug-fixing and security release that delivers the following:

Login via GET disabled by default

Logging in with query parameters using the GET method is now disabled by default. Trying to do so results in a 401 Unauthorized error.

To allow GET or other HTTP methods, add them as a list to info.magnolia.cms.security.auth.login.FormLogin#allowedMethods. See this configuration as an example.

Enable other methods on non-production systems only.

MAGNOLIA-8120 (restricted access)

Default path-based locking in Publishing module

With Publishing module 1.1.10, path-based locking has become the default locking mechanism. Previously, publishing occasionally failed while nodes remained locked on the public instance (EEPUBLISH-28).

Node-based locking is still available for compatibility reasons. See Known issues: Cannot publish content with path-based locking.

PUBLISHING-99

Third-party library updates

This release comes with the following third-party library updates to fix some security and compatibility issues:

  • PDFBox updated to 2.0.24 (BUILD-475).
  • Preflight and XmpBox (two subprojects of PDFBox) updated to 2.0.24 (BUILD-476).

  • RESTEasy, Jackson Databind and JAXB Runtime updated to 3.15.1.Final, 2.11.1 and 2.3.3-b02 respectively (BUILD-464).
  • Tika updated to 1.26 (BUILD-450).
  • XStream updated to 1.4.17 (BUILD-470).

We keep the details of security fixes private in line with our security policyContact our Support team if you need more information.

Notable bug fixes

  • All siblings of a published node now appear in the same order as on the author instance at the time of approving publication. To disable such ordering of sibling nodes, set /modules/publishing-core/config@orderSiblings to false (PUBLISHING-82).

    This default behavior does not take into account the order at any other point in time (such as the time of creating the published version).

  • Synchronization no longer fails when you move or rename a node. Instead, synchronization is completed before a log warning displays all nodes that could not be synchronized (MGNLSYNC-58).
  • To better handle dependency problems and runtime exceptions (MAGNOLIA-6442):
    • In info.magnolia.objectfactory.guice.GuiceUtils, the hasExplicitBindingFor() method checks Injector for null before retrieving an explicit binding key.
    • In info.magnolia.objectfactory.guice.GuiceComponentProviderBuilder, the log error triggered when a module configuration fails to load now catches Throwable instead of CreationException.
  • When you restore a previous version of a page, you also restore that version’s activation status (MAGNOLIA-7975).

Security advisory

We have fixed an XSS vulnerability with this release. We keep the details private in line with our security policyContact our Support team if you need more information.

MGNLREST-299

Others

If you are upgrading from an earlier version, read Upgrading to Magnolia 5.7.x first and check the Known issues section on the page.

Changelog

See the 5.7.11 changelog for all the changes.

Updated modules

  • Community Edition 5.7.11
  • Enterprise Edition 5.7.11
  • Magnolia 5.7.11
  • Publishing 1.1.10
  • Publishing Transactional 1.1
  • REST Framework 2.1.7
  • Synchronization 1.9.2
  • Third-party library BOM 5.7.10
  • UI 5.7.11

Acknowledgements

The Magnolia team would also like to thank everyone who reported issues, contributed patches or simply commented on issues for this release. Your continued interest helps us make Magnolia better. Special thanks go to Thomas Duffey, Fabrizio Giustina, Thomas Martin, CysNET Software, Frank Sommer and Simon Tourville.

  • No labels