Magnolia 5.7 reached extended end of life on May 31, 2022. Support for this branch is limited, see End-of-life policy. Please note that to cover the extra maintenance effort, this EEoL period is a paid extension in the life of the branch. Customers who opt for the extended maintenance will need a new license key to run future versions of Magnolia 5.7. If you have any questions or to subscribe to the extended maintenance, please get in touch with your local contact at Magnolia.
Magnolia CORE 5.7.7 is a bug-fixing and security release that delivers the following:
Stateless protection against login CSRF attack
A stateless technique is now used to protect against any login CSRF attack. See Double Submit Cookie for more information.
When requesting a Magnolia login page before a session is created after authentication, a CSRF token is temporarily kept in a cookie in the client browser. That token is generated with each GET
request before login. When the login form is submitted to the server with a POST
request, the cookie token is matched against the value coming from the request.
To improve security, a salted hash is used for the cookie so that an attacker will not be able to re-create the cookie value from the plain token without knowledge of the server secrets.
MAGNOLIA-7660 (restricted access)
Third-party library updates
This release comes with the following third-party library updates to fix some security and incompatibility issues:
- H2 database updated to 1.4.200 (MAGNOLIA-7727)
- Hibernate Validator updated to 6.1.4.Final (BLOSSOM-264)
- Log4j updated to 2.13.2 (BUILD-387)
- Tomcat updated to 9.0.31 (MGNLTOMCAT-13)
We keep the details of the security-related fixes private in line with our security policy. Contact our Support team if you need more information.
Notable bug fixes
The following issues have been resolved where:
- In the Advanced Cache module, wrong keys were generated for personalized pages with nested component variants (MGNLADVCACHE-107).
- In the Cache module,
CacheResponseWrapper
did not retrievecontentType
correctly (MGNLCACHE-38). In the Content Dependencies module, reference properties were ignored when resolving dependencies (MGNLCDEP-90).
In the Publishing module, nodes appeared in the wrong order after publishing a single page (PUBLISHING-79).
This issue was previously addressed in PUBLISHING-62. If you no longer experience problems with published node order, you should not upgrade to Publishing 1.1.5.
On the author instance, editors can move nodes to change the order in which they are stored in JCR. Since Magnolia does not track node order history, it is impossible to keep the same order of nodes on the public instance if you publish just one node that has been moved on the author instance. To make sure that the orders of nodes on both instances are aligned, always publish the parent node of any nodes you moved.
- In the Scheduler module, all programmatically added jobs were deleted on restart (MGNLSCH-64).
Others
Upgrading to 5.7.7
If you are upgrading from an earlier version, read Upgrading to Magnolia 5.7.x first and check the Known issues section on the page.
Deprecated requestor
properties replaced
The properties ATTRIBUTE_REQUESTOR
of info.magnolia.context.Context
and requestor
of info.magnolia.task.Task
have been deprecated in favor of ATTRIBUTE_USERNAME
and userName
respectively.
Deprecated Content
API classes replaced
In the Site module, the PropertyExistsDelegateTask
and PropertyValueDelegateTask
classes of the legacy Content
API have been replaced with HasPropertyDelegateTask
and ValueOfPropertyDelegateTask
respectively.
Changelog
See the 5.7.7 changelog for all the changes.
Updated modules
- Advanced Cache 2.1
- Barebones Tomcat Bundle 1.1.3
- Blossom 3.2.3
- Cache 5.6.4
- Community Edition 5.7.7
- Content Dependencies 1.9.2
- Diff 2.1.1
- Enterprise Edition 5.7.7
- Imaging 3.4.3
- LDAP Connector 1.10.3
- Magnolia 5.7.7
- Mail 5.5.4
- Password Manager 1.2.4
- Publishing 1.1.5
- Scheduler 2.3.4
- Site 1.2.4
- Task Management 1.2.7
- Third-party library BOM 5.7.6
- UI 5.7.7
- Usage Metrics 1.1.1
Acknowledgments
The Magnolia team would also like to thank everyone who reported issues, contributed patches or simply commented on issues for this release. Your continued interest helps us make Magnolia better. Special thanks go to Le Bao Duy, Tytgat Christian, Philip Mundt and Diana Racho.