Jahia 7.3.8 Release Notes
October 8, 2024
What's new?
- Several third-party libraries have been upgraded to benefit from their latest security fixes. See the changelog below for the details.
Upgrading from a previous version?
Spring bean modifications
If you have customized your application context in the file digital-factory-config/jahia/applicationcontext-custom.xml , please consult the list of changes we made in our Spring beans as you might need to update your configuration.
Updated modules and libraries
Library upgrades
The following libraries were updated between Jahia 7.3.7.0 and Jahia 7.3.8.0.
| Library | Version in Jahia 7.3.7.0 | Version in Jahia 7.3.8.0 |
|---|---|---|
| DB driver - Derby | 10.12.1.1 | 10.14.2.0 |
| DB driver - MSSQL | 6.4.0.jre8 | 9.2.1.jre8 |
| DB driver - MySQL | 5.1.48 | 8.0.23 |
| DB driver - Oracle | 12.2.0.1 | 18.3.0.0 |
| DB driver - PostgreSQL | 42.2.9 | 42.2.19 |
| DB driver - MariaDB | 2.4.1 | 2.7.2 |
| protobuf-java | 2.5.0 | 3.15.3 |
| jasypt | 1.9.1 | 1.9.3 |
| commons-beanutils | 1.8.3 | 1.9.4 |
| hibernate-validator | 5.0.1 | 5.4.3 |
| hibernate-validator-annotation-processor | 5.0.1 | 5.4.3 |
| classmate | 0.8.0 | 1.3.1 |
| Saxon-HE | 9.9.1-5 | 10.3 |
| xstream | 1.4.11 | 1.4.16 |
| xpp3_min / mxparser | 1.1.4c | 1.2.1 |
| woodstox-core | 4.0.8 | 6.2.4 |
| stax2-api | 3.0.2 | 4.2.1 |
| jna | 5.5.0 | 5.8.0 |
| groovy | 2.5.6 | 2.5.14 |
| groovy-dateutil | 2.5.6 | 2.5.14 |
| groovy-json | 2.5.6 | 2.5.14 |
| groovy-jsr223 | 2.5.6 | 2.5.14 |
| groovy-xml | 2.5.6 | 2.5.14 |
| httpclient | 4.5.9 | 4.5.13 |
| httpcore | 4.4.11 | 4.4.13 |
| jackson-annotations | 2.9.9 | 2.9.10 |
| jackson-core | 2.9.9 | 2.9.10 |
| jackson-databind | 2.9.9.3 | 2.9.10.8 |
| shiro-cache | 1.6.0 | 1.7.1 |
| shiro-config-core | 1.6.0 | 1.7.1 |
| shiro-config-ogdl | 1.6.0 | 1.7.1 |
| shiro-core | 1.6.0 | 1.7.1 |
| shiro-crypto-cipher | 1.6.0 | 1.7.1 |
| shiro-crypto-core | 1.6.0 | 1.7.1 |
| shiro-crypto-hash | 1.6.0 | 1.7.1 |
| shiro-event | 1.6.0 | 1.7.1 |
| shiro-lang | 1.6.0 | 1.7.1 |
| shiro-spring | 1.6.0 | 1.7.1 |
| shiro-web | 1.6.0 | 1.7.1 |
| maven-model | 3.0.5 | 3.3.9 |
| plexus-utils | 2.0.6 | 3.0.22 |
| tika-core | 1.24.1-jahia1 | 1.26-jahia1 |
| tika-parsers | 1.24.1 | 1.26 |
| asm | 7.0 | 9.1 |
| bcmail-jdk15on | 1.65 | 1.68 |
| bcpkix-jdk15on | 1.65 | 1.68 |
| bcprov-jdk15on | 1.65 | 1.68 |
| commons-io | 2.4 | 2.8.0 |
| commons-lang3 | 3.10 | 3.12.0 |
| commons-logging | 1.1.1 | 1.2 |
| fontbox | 2.0.19 | 2.0.23 |
| pdfbox | 2.0.19 | 2.0.23 |
| pdfbox-tools | 2.0.19 | 2.0.23 |
| xmpbox | 2.0.19 | 2.0.23 |
| preflight | 2.0.19 | 2.0.23 |
| metadata-extractor | 2.13.0 | 2.15.0.1 |
| xmpcore-shaded | 6.1.10 | 6.1.11 |
| isoparser | 1.9.41.2 | 1.9.41.4 |
| jcommander | 1.78 | 1.81 |
| vorbis-java-core | 0.8 | removed |
| vorbis-java-tika | 0.8 | removed |
| jcip-annotations | none | 1.0 |
Updated modules
The following modules were updated between Jahia 7.3.7.0 and Jahia 7.3.8.0.
| Module | Version in Jahia 7.3.7.0 | Version in Jahia 7.3.8.0 |
|---|---|---|
| Calendar | 2.0.6 | 2.1.0 |
| Content and Media Manager | 1.7.0 | 1.8.0 |
| CSRF Guard | 1.2.0 | 1.3.0 |
| Default | 7.7.0 | 7.8.0 |
| Digitall Demo | 1.1.0 | 1.1.1 |
| JQuery | 7.2.0 | 7.3.0 |
| Module Manager | 1.3.1 | 1.4.0 |
| News | 3.1.0 | 3.2.0 |
| Server Settings | 8.4.0 | 8.5.0 |
| Server Settings EE | 8.3.0 | 8.4.0 |
| Site Settings | 7.5.0 | 7.6.0 |
| Tools | 2.5.0 | 2.6.0 |
Jahia 7.3.8.0 - Changelog
Security
For more detail about the minor library upgrades, see the Updated modules and libraries section above.
- Minor upgrades of vulnerable 3rd party libraries
- Updated Saxon library to guard TransformerFactory against XXE attacks
- Fixed the core to prevent Path Traversal Injection
- Fixed the core to prevent Cross Site Scripting (XSS)
- Allowed (whitelist) types xstream can deserialize
Core
- Deprecated Find and FindPrincipal servlet. They will be removed with next major version release
- Added missing MariaDB SQL patch
- Fixed a versioning tab issue by using the type from the configuration
- Fixed encoding issue on Action redirecting to URL
- Fixed publication of sub-content in Work in progress mode
- Added setting to prevent blocking of non-ASCII characters in URLs
- Fixed issue with missing j:file property leading to errors in VanityURL dashboard
- Site export occurs now in the folder configured with the property jahiaExportsDiskPath
Edit Mode
- Fixed missing past action in the contextual menu
- Fixed edit engine issue with default value in choicelist initializers
User Dashboard
- Renamed My Web Projects to My Projects
- Added missing labels in My Dashboard for French, Spanish, Portuguese, and Italian
Installer
- Replace build number with commit hash
Modules - Changelog
Content and Media Manager (1.8.0)
- Allowed "cut" content under pages
Calendar (2.1.0)
- Adapted the module to work with jQuery 3.6.0
CSRF Guard (1.3.0)
- Fixed incompatibility with IE11
Default (7.8.0)
- Removed "force flash player" option for jnt:video as Flash is not supported anymore
- Removed support for jnt:flash as Flash is not supported anymore
Digitall (1.1.1)
- Added the missing j:file property
jquery (7.3.0)
- Added jQuery 3.6.0
Module Manager (1.4.0)
- Fixed module import issue when reimporting after an interruption
- Added logs when the server is restarted with [persisted-bundles].dorestore
Site Settings (7.6.0)
- Adapted the module to work with jQuery 3.6.0
Server Administration (8.5.0)
- Added filter in the error page to hide properties containing "pass" or "password" (case insensitive) in their name
Server Administration EE (8.4.0)
- Fixed permission check on legacy UI for license upload button
Tools (2.6.0)
- Fixed issue when changing CKEditor configuration