Magnolia CMS 6.1.6 provides bug fixes, security updates and several usability improvements. In line with our End-of-life policy, this release marks the beginning of the extended end-of-life period for the 6.1 branch of Magnolia. This period is intended to give users more freedom and flexibility when planning migration to a fully supported release. For availability of the most recent Magnolia release, see the Releases page.
Optimized scanning and pattern matching for
In the Resources module, the
ResourcesTemplatingFunctions#generate method used by
resfn previously scanned:
- All the files and directories of the
- All the files in the classpath to match their path with the provided JS or CSS path (potential regex)
This recursive scanning resulted in significant CPU usage. To ensure that such scanning and pattern matching are no longer forced, compiled regular expressions have been optimized as follows:
Content API removed from Solr module
In the Solr Search Provider module, we have removed dependencies on the deprecated
Content API that prevented Magnolia from starting when the module was included in a webapp.
Third-party library updates
This release comes with the following third-party library updates to fix some security and incompatibility issues:
Notable bug fixes
The following issues have been resolved where:
- In the Cache module,
CacheResponseWrapperdid not retrieve
- In the Magnolia Templating Essentials (MTE) module, images could not be displayed due to
- In the Publishing module, nodes appeared in the wrong order after publishing a single page (PUBLISHING-79).
Some of the screenshots in the documentation still show the legacy Magnolia 5 UI. Please bear with us as we work to update them.
Additional security improvements
Stateless protection against login CSRF attack
A stateless technique is now used to protect against any login CSRF attack. See Double Submit Cookie for more information.
When requesting a Magnolia login page before a session is created after authentication, a CSRF token is temporarily kept in a cookie in the client browser. That token is generated with each
GET request before login. When the login form is submitted to the server with a
POST request, the cookie token is matched against the value coming from the request.
To improve security, a salted hash is used for the cookie so that an attacker will not be able to re-create the cookie value from the plain token without knowledge of the server secrets.
MAGNOLIA-7660 (restricted access)
Virtual URI mappings not working if too many are configured
To mitigate an issue caused by having more than 500 configured virtual URI mappings in light modules, a WARN-level message is now logged when a
DirectoryWatcher overflow occurs (MAGNOLIA-7762). We also recommend to keep the number of files in a single folder below 100 and to use folder hierarchies whenever possible. The issue will be fixed with MAGNOLIA-7798.
Site module inaccessible to non-DX Core users
Site 1.2.4, released with Magnolia 6.1.5, relies on artifacts in maintenance mode and is therefore inaccessible to non-DX Core users. To fix this, the recommended Site 1.3.1 is now available in our public Nexus repository and bundled with Magnolia 6.1.6.
See the 6.1.6 changelog for all the changes.
- Backup 2.4.1
- Blossom 3.3.2
- Cache 5.8.3
- Community Edition 6.1.6
- Content Dependencies 1.9.2
- Definitions App 2.0.1
- Diff 2.1.1
- DX Core 6.1.6
- Image Recognition 1.1.1
- Imaging 3.4.3
- LDAP Connector 1.10.3
- Magnolia 6.1.6
- Mail 5.5.4
- Password Manager 1.2.4
- Publishing 1.2.1
- Resources 2.7.1
- Scheduler 2.3.4
- Site 1.3.1
- Solr Search Provider 5.2.3
- Templating Essentials 1.4
- Third-party library BOM 6.1.6
- UI 6.1.6
- Usage Metrics 1.1.1
The Magnolia team would also like to thank everyone who reported issues, contributed patches or simply commented on issues for this release. Your continued interest helps us make Magnolia better. Special thanks go to Le Bao Duy, Tytgat Christian, Mirek Ingr, Kathrin Kaufleitner, Philip Mundt, Alex Plouff, Diana Racho and Joerg von Frantzius.