Jahia 8.1.5 Release Notes

What's new?

Jahia 8.1.5.0 is a maintenance release replacing Jahia 8.1.4.0, which has never been made available

Jahia 8.1.5 is a maintenance release based on the scope of 8.1.4.0, with added fixes regarding some XSS vulnerability issues identified in the back office interfaces. The breaking changes initially introduced in Jahia 8.1.4.0 have been removed from Jahia 8.1.5.0.

Jahia 8.1.4.0 release notes

Rewrite rules configuration

In jahia-page-composer 1.8.0 (packaged with Jahia 8.1.3.0), the global category flag use-query-string="true" was added to keep the query parameters when there's a redirection in Jahia. As it affects all the rewrite rules and all the urls, we made the decision to roll back this change and worked on another fix that only affects rules related to Jahia edit mode. We strongly encourage to upgrade jahia-page-composer to version 1.11.0.

Upgrading from a previous version?

Prevent usage of '<' and '>' characters for system names

Starting with Jahia 8.1.5.0, the characters '<' and '>' cannot be used anymore for node names, as they could be used for xss attacks.

Nodes containing these characters may not be editable in Content Editor, as Content Editor 4.3.0 does not allow them for the system name property. The following query can be used to identify nodes containing these characters:

select * from [nt:base] where localname() like '%>%' or localname() like '%<%'

We strongly recommend to rename such nodes proactively, so these characters are not used anymore.

Updated modules and libraries in 8.1.5.0

Library upgrades

The following librairies were updated between Jahia 8.1.4.0 and Jahia 8.1.5.0

Library	Version in Jahia 8.1.4.0	Version in Jahia 8.1.5.0
Apache Felix Web Console	4.3.16-jahia1	4.3.16-jahia2

The list of upgraded libraries between 8.1.3.0 and 8.1.4.0 can be found in the Jahia 8.1.4.0 Release notes page

Updated modules

The following modules were updated between Jahia 8.1.4.0 and Jahia 8.1.5.0

Module	Version in Jahia 8.1.4.0	Version in Jahia 8.1.5.0
App Shell	2.8.0	2.8.1
JCR REST API	3.1.0	3.2.0
Profile	8.0.0	8.2.0
Site Settings	8.5.0	8.7.0
Tools	4.2.0	4.4.0
User Dashboard	8.4.0	8.5.0

The list of updated modules between 8.1.3.0 and 8.1.4.0 can be found in the Jahia 8.1.4.0 Release notes page

Jahia 8.1.4.0 >> 8.1.5.0 - Changelog

Security

Prevent usage of '<' and '>' in node names
Escape characters to protect user properties from XSS attacks

Core

Improved the GraphQL patch mechanism to wait for the GraphQL service to be available before running the patches
Avoid resolutions when displaying configurations in the OSGi Configuration Manager

The 8.1.3.0 to 8.1.4.0 changelog can be found in the Jahia 8.1.4.0 Release notes page

Modules included in the upgrade - Changelog

App Shell (2.8.1)

Fixed issue with custom login/error pages handling

JCR REST API (3.2.0)

Prevent usage of '<' and '>' in node names

Profile (8.2.0)

Protect user properties from XSS attacks

Site Settings (8.7.0)

Protect user properties from XSS attacks

Tools (4.4.0 depends on Jahia 8.1.4+)

Fixed issue with target and action not being reset when switching workspace

User Dashboard (8.5.0)

Protect user properties from XSS attacks

Modules - Changelog

The following modules have been released along with the Jahia 8.1.5 release and are not automatically updated when upgrading to 8.1.5, but can easily be updated from the administration.

Server Availability Manager (2.6.0)

Improved ClusterConsistency probe to return cellar state (more details here)