Jahia 8.2.2 Release Notes
What's new?
Jahia 8.2.2 is a maintenance release primarily addressing security-related issues detailed in September security patch page.
Adopting this release is expected to be simple for environments already running Jahia 8.2.1.
Jahia 8.2.2.1 includes an updated version of the tasks module. In order to perform a rolling upgrade between Jahia 8.2.2.0 and Jahia 8.2.2.1, you will need to manually install tasks 8.3.0 on your running Jahia 8.2.2.0 before proceeding with the upgrade to Jahia 8.2.2.1. The tasks 8.3.0 module can be downloaded here.
Breaking changes
This release includes two changes that could be considered breaking, depending on your environment.
Stricter file upload validations (introduced in Jahia 8.2.2.0)
This release introduces stricter file upload checks configurable via the property jahiaSecuredFileUpload in the jahia.properties file.
In Jahia 8.1.9.0, this property is set to true by default. Make sure to review the documentation available in the jahia.properties file to determine if and how you are impacted. This documentation is also accessible here.
CSRF protection in /modules/api/bundles (introduced in Jahia 8.2.2.0)
In this release, we removed the ability for /modules/api/bundles to rely on sessions for authentication, which typically means that it will not be possible to call this endpoint from Web UIs.
We expect this use case to be extremely rare (if not inexistent) since this endpoint was primariraly created to support Jahia orchestration use cases, which are unaffected by this change. This endpoint is still reachable via other Jahia authentication mechanism (token, basic auth).
Password update security (Jahia 8.2.2.1 only)
In Jahia 8.2.2.1 a short-lived server-side validation window was introduced: after a successful current-password verification, a password change may be performed without re-supplying the current password, provided it occurs within the same request / thread context and within the allowed time window (configurable, defaults to 10s).
The fixes implement a window during which a password can be modified after having been first verified. If your code already follows the pattern verifyPassword(currentPassword) followed by setPassword(newPassword) in the same thread, no changes are required.
If you perform the two operations in different threads, or separated requests without re-verification, you must refactor your code. A sample implementation of a valid password change is available in the jahia user dashboard (code).
It remains possible to restore previous behaviour by setting jahia.user.passwordUpdate.currentPasswordRequired property to false.
Updated modules in 8.2.2
No modules were updated between Jahia 8.2.1.0 and Jahia 8.2.2.0
Updated modules
The following modules were updated between Jahia 8.2.1.0 and Jahia 8.2.2.1
| Module | Jahia 8.2.1.0 | Jahia 8.2.2.0 | Jahia 8.2.2.1 |
|---|---|---|---|
| Tasks | 8.2.0 | 8.2.0 | 8.3.0 |
Updated libraries in 8.2.2
The following librairies were updated between Jahia 8.2.1.0 and Jahia 8.2.2.0.
No libraries were updated between Jahia 8.2.2.0 and Jahia 8.2.2.1
| Library | Jahia 8.2.1.0 | Jahia 8.2.2.0 |
|---|---|---|
| Apache Commons Beanutils | 1.9.4 | 1.11.0 |
| Apache Commons Compress | 1.25.0 | 1.27.1 |
| Apache Commons FileUpload | 1.3.3 | 1.6.0 |
| Apache Commons IO | 2.14.0 | 2.16.1 |
| Apache Commons Lang3 | 3.12.0 | 3.18.0 |
| Apache log4j2 | 2.17.2 | 2.23.1 |
| Apache Tika Parser | 2.9.1 | 2.9.3 |
| Apache Tomcat | 9.0.104 | 9.0.107 |
| Apache Commons VFS | 2.4.1 | 2.10.0 |
| aws-java-sdk-s3 | 1.12.272 | 1.12.787 |
| PostgreSQL driver | 42.7.5 | 42.7.7 |
| Jackson Core | 2.15.2 | 2.19.0 |
| Joda Time | 2.10.13 | 2.14.0 |
| snakeyaml | 2.2 | 2.4 |
Jahia 8.2.2 - Changelog
8.2.2.1
Jahia 8.2.2.1 patch release includes the following additional fixes, you can find details about the corrected vulnerabilities on this page.
- ✨ Introduction of a password change window
- 🐛 Better handle exceptions to prevent log flooding
- ✨ Addressed two XSS vulnerabilities in Jahia Administration
Aside from security fixes, this patch release also include the following change:
- 🐛 Fixed a compatibility issue between JDK 17 and Jahia Proxy handling
8.2.2.0
Docker
- ✨ Simplified Jahia configuration during startup of the Docker images and removed unnecessary dependencies
Security
- ✨ Introduced a stricter mechanism to validate file uploads, configurable using the jahiaSecuredFileUpload property. This configuration is true by default. Please see the "Breaking Changes" section of this document.