Jahia 7.3.8 Release Notes

October 8, 2024

What's new?

  • Several third-party libraries have been upgraded to benefit from their latest security fixes. See the changelog below for the details.

Spring bean modifications

If you have customized your application context in the file digital-factory-config/jahia/applicationcontext-custom.xml , please consult the list of changes we made in our Spring beans as you might need to update your configuration.

 

Library upgrades

The following libraries were updated between Jahia 7.3.7.0 and Jahia 7.3.8.0.

Library Version in Jahia 7.3.7.0 Version in Jahia 7.3.8.0
DB driver - Derby 10.12.1.1 10.14.2.0
DB driver - MSSQL 6.4.0.jre8 9.2.1.jre8
DB driver - MySQL 5.1.48 8.0.23
DB driver - Oracle 12.2.0.1 18.3.0.0
DB driver - PostgreSQL 42.2.9 42.2.19
DB driver - MariaDB 2.4.1 2.7.2
protobuf-java 2.5.0 3.15.3
jasypt 1.9.1 1.9.3
commons-beanutils 1.8.3 1.9.4
hibernate-validator 5.0.1 5.4.3
hibernate-validator-annotation-processor 5.0.1 5.4.3
classmate 0.8.0 1.3.1
Saxon-HE 9.9.1-5 10.3
xstream 1.4.11 1.4.16
xpp3_min / mxparser 1.1.4c 1.2.1
woodstox-core 4.0.8 6.2.4
stax2-api 3.0.2 4.2.1
jna 5.5.0 5.8.0
groovy 2.5.6 2.5.14
groovy-dateutil 2.5.6 2.5.14
groovy-json 2.5.6 2.5.14
groovy-jsr223 2.5.6 2.5.14
groovy-xml 2.5.6 2.5.14
httpclient 4.5.9 4.5.13
httpcore 4.4.11 4.4.13
jackson-annotations 2.9.9 2.9.10
jackson-core 2.9.9 2.9.10
jackson-databind 2.9.9.3 2.9.10.8
shiro-cache 1.6.0 1.7.1
shiro-config-core 1.6.0 1.7.1
shiro-config-ogdl 1.6.0 1.7.1
shiro-core 1.6.0 1.7.1
shiro-crypto-cipher 1.6.0 1.7.1
shiro-crypto-core 1.6.0 1.7.1
shiro-crypto-hash 1.6.0 1.7.1
shiro-event 1.6.0 1.7.1
shiro-lang 1.6.0 1.7.1
shiro-spring 1.6.0 1.7.1
shiro-web 1.6.0 1.7.1
maven-model 3.0.5 3.3.9
plexus-utils 2.0.6 3.0.22
tika-core 1.24.1-jahia1 1.26-jahia1
tika-parsers 1.24.1 1.26
asm 7.0 9.1
bcmail-jdk15on 1.65 1.68
bcpkix-jdk15on 1.65 1.68
bcprov-jdk15on 1.65 1.68
commons-io 2.4 2.8.0
commons-lang3 3.10 3.12.0
commons-logging 1.1.1 1.2
fontbox 2.0.19 2.0.23
pdfbox 2.0.19 2.0.23
pdfbox-tools 2.0.19 2.0.23
xmpbox 2.0.19 2.0.23
preflight 2.0.19 2.0.23
metadata-extractor 2.13.0 2.15.0.1
xmpcore-shaded 6.1.10 6.1.11
isoparser 1.9.41.2 1.9.41.4
jcommander 1.78 1.81
vorbis-java-core 0.8 removed
vorbis-java-tika 0.8 removed
jcip-annotations none 1.0

 

Updated modules

The following modules were updated between Jahia 7.3.7.0 and Jahia 7.3.8.0.

Module Version in Jahia 7.3.7.0 Version in Jahia 7.3.8.0
Calendar 2.0.6 2.1.0
Content and Media Manager 1.7.0 1.8.0
CSRF Guard 1.2.0 1.3.0
Default 7.7.0 7.8.0
Digitall Demo 1.1.0 1.1.1
JQuery 7.2.0 7.3.0
Module Manager 1.3.1 1.4.0
News 3.1.0 3.2.0
Server Settings 8.4.0 8.5.0
Server Settings EE 8.3.0 8.4.0
Site Settings 7.5.0 7.6.0
Tools 2.5.0 2.6.0

Jahia 7.3.8.0 - Changelog

Security

For more detail about the minor library upgrades, see the Updated modules and libraries section above.
  • Minor upgrades of vulnerable 3rd party libraries
  • Updated Saxon library to guard TransformerFactory against XXE attacks
  • Fixed the core to prevent Path Traversal Injection
  • Fixed the core to prevent Cross Site Scripting (XSS)
  • Allowed (whitelist) types xstream can deserialize

Core

  • Deprecated Find and FindPrincipal servlet. They will be removed with next major version release
  • Added missing MariaDB SQL patch
  • Fixed a versioning tab issue by using the type from the configuration
  • Fixed encoding issue on Action redirecting to URL
  • Fixed publication of sub-content in Work in progress mode
  • Added setting to prevent blocking of non-ASCII characters in URLs
  • Fixed issue with missing j:file property leading to errors in VanityURL dashboard
  • Site export occurs now in the folder configured with the property jahiaExportsDiskPath

Edit Mode

  • Fixed missing past action in the contextual menu
  • Fixed edit engine issue with default value in choicelist initializers

User Dashboard

  • Renamed My Web Projects to My Projects
  • Added missing labels in My Dashboard for French, Spanish, Portuguese, and Italian

Installer

  • Replace build number with commit hash

Modules - Changelog

Content and Media Manager (1.8.0)

  • Allowed "cut" content under pages

Calendar (2.1.0)

  • Adapted the module to work with jQuery 3.6.0

CSRF Guard (1.3.0)

  • Fixed incompatibility with IE11

Default (7.8.0)

  • Removed "force flash player" option for jnt:video as Flash is not supported anymore
  • Removed support for jnt:flash as Flash is not supported anymore

Digitall (1.1.1)

  • Added the missing j:file property

jquery (7.3.0)

  • Added jQuery 3.6.0

Module Manager (1.4.0)

  • Fixed module import issue when reimporting after an interruption
  • Added logs when the server is restarted with [persisted-bundles].dorestore

Site Settings (7.6.0)

  • Adapted the module to work with jQuery 3.6.0

Server Administration (8.5.0)

  • Added filter in the error page to hide properties containing "pass" or "password" (case insensitive) in their name

Server Administration EE (8.4.0)

  • Fixed permission check on legacy UI for license upload button

Tools (2.6.0)

  • Fixed issue when changing CKEditor configuration