Jahia 8.1.0 Release Notes

Jahia 8.1.0 is a feature release focusing on improving the security of the platform. Many libraries used by Jahia have been updated to benefit from their latest security fixes. The list of updated libraries is available below. The security filter has also been improved, find out more in the Jahia 8.1 - Security update page.

Jahia 8.1.0 also comes with the following noticeable improvements:

• A “structured view” is now available when browsing pages in jContent: this view allows editors to see the technical structure of a page, which can be useful in many cases!
• The “Publish now” button in Content Editor now only publishes the content being edited, and not including the sub-contents anymore. This is a major improvement, allowing you to only publish the new name of a page, without worrying about publishing the content of the page!
• The vanity url dashboard is now available in content editor
• The Personal API Token module is now part of the distribution

Security

• Added log4j2 option "formatMsgNoLookups"  to Tomcat startup  parameters to mitigate CVE-2021-44228 (See Security Patch - December 2021)

Security

• Major upgrades of vulnerable 3rd party libraries

Security Filter

• Added an option to log calls that will be denied with the new security rules
• Added profiles for sysadmin usage
• Added default configurations for security-filter
• Moved security-filter to core bundle
• Fixed errors due to wrong configuration file type

Core

• Upgraded Tomcat from 9.0.45 to 9.0.52
• Dropped support of Maven 3.0
• Added the site creation in the provisioning API
• Added support of Websocket from modules - https://github.com/Jahia/jahia-websocket-sample
• Added property to disable jgroups on atmosphere
• Removed old version of pax-web-features (7.2.11)
• Fixed invalid captcha issue
• Fixed issue with reference nodes cache not refreshed
• Fixed issue with weakreferences used in comparison inside queries
• Fixed memory issue when a lot of JCR events are replayed
• Fixed issue with hidden property on Initializer with addMixin
• Improved JCRFilterTag to prevent some exceptions
• Fixed issue with custom dynamic value initializer
• Fixed issue after upgrade when a higher version of a core module has been upgraded manually before
• Fixed issue with Jahia docker images unable to start without internet connection
• Fixed compilation issue with a transitive dependency of servlet-api
• Added a 2h TimeToLive for external users entries
• Fixed error when updating an empty config from the config manager with a json object
• Fixed the ui allows to paste non droppable content in lists.
• Fixed issue with remember me option at login

Roles and Permissions

• Added permissions on jContent accordion
• Fixed issue with site level external ACE not updated when the related ACE is moved to another site
• Fixed issue with external permissions not created
• Fixed permission issue deleting siteusers with same name in another site

Rules

• Fixed rule engine corruption at startup
• Fixed issue with rules not using the good node to execute the action
• Fixed rules engine issues due to dependant rules across modules

Upgrade

• Fixed issue with jahia-license-tools bundle not started after upgrade when the server has no internet access

Visibility

• Fixed issue with search results count when visibility is active

Workflows

• Fixed issue with workflows not visible by avoiding duplicated users/groups

App Shell (2.4.0)

• Updated the configuration to use websocket connection for subscriptions (See GraphQL section)
• Updated vulnerable dependencies

Content Editor (3.3.0)

• Improved the "Publish now" feature to only publish the page and not the subcontents
• Updated the configuration to use websocket connection for subscriptions (See GraphQL section)
• Updated code after GraphQL libraries upgrade (See GraphQL section)
• Updated dependencies after moving Security filter module into a Core bundle
• Fixed concurrency issue with lock / unlock in content creation / edition / saving
• Fixed issue with save button activated when opening a content
• Fixed issue with random refresh or content not saved when saving form
• Updated vulnerable dependencies
• Fixed display issue with jmix:templateMixin
• Fixed issue displaying properties coming from mixins
• Fixed error logging when copy/pasting a page
• Fixed issue when going back after changing the system name of a page
• Fixed error handling to display an error page instead of a white screen
• Fixed issue with button "Mark as WIP" not well handled when a language is removed
• Fixed Multiple field is not highlighted when having an error on server side validation
• Fixed error logging when publishing new content with advanced settings

CSRF Guard (2.3.0)

• Fixed issue with filtering not applied on SEO urls

Default (8.4.0)

• Upgraded guava from 15.0 to 30.1.1-jre
• Added the possibility to search users from local site and global level to change its roles and permissions

External Provider (4.2.0)

• Upgraded guava from 15.0 to 30.1.1-jre
• Upgraded HttpClient from 3.1 to 5.1
• Upgraded Hibernate from 4.2.7.SP1 to 5.5.3.Final
• Updated vulnerable dependencies
• Fixed issue with mixin subnodes removed after the removal of another mixin

External Provider Users & Groups (2.1.0)

• Upgraded guava from 15.0 to 30.1.1-jre
• Updated vulnerable dependencies

GraphQL DXM Provider (2.7.0)

• Added the ability to return the property of a JCR node as boolean
• Added GraphQL API generic asynchronous support
• Upgraded graphql-java from 11 to 13 / graphql-java-annotations from 6.1 to 7.2.1 / graphql-java-servlet from 4.7.0 to 9.1.0 / jackson from 2.9.10 to 2.10.5
• Improved graphql subscription through one websocket connection (new endpoint /graphqlws to ease proxy configurations)
• Upgraded guava from 15.0 to 30.1.1-jre
• Fixed missing inline error message when input is invalid
• Fixed the Copy CURL action in GraphQL playground
• Fixed issue when filtering a multi-valued property
• Updated vulnerable dependencies

Also introduced in GraphQL DXM Provider (2.6.0):

• Added a Jahia node under admin in the GraphQL schema to support administrative operations
• Updated dependencies after moving Security filter module into a Core bundle
• Added fiels to currentUser node
• Added an admin node to return the list of users
• Added an admin node to read or update Jahia configuration

Jahia Administration (1.4.0)

• Updated vulnerable dependencies

Jahia Dashboard (1.4.0)

• Updated code after GraphQL libraries upgrade (See GraphQL section)
• Updated dependencies after moving Security filter module into a Core bundle
• Updated vulnerable dependencies

Jahia Page Composer (1.5.0)

• Added a custom 404 error page
• Updated vulnerable dependencies
• Added new error page when getting a 404 error
• Fixed issue when accessing Page Composer with a direct link
• Fixed 404 issue after switching site in another application
• Fixed UI issue when the language name or the site name are too long

Jahia UI Root (1.4.0)

• Added a new error page
• Updated packages to fix javascript vulnerabilities

jContent (2.5.0)

• Added the structured view for jContent > content folders
• Improved jContent > Pages by separating page contents and sub-pages
• Added the structured view for jContent > Pages
• Updated dependencies after moving Security filter module into a Core bundle
• Fixed values in pagination dropdown
• Fixed issue with system name search in jContent

jcrestapi (3.1.0)

• Updated dependencies after moving Security filter module into a Core bundle

LDAP Provider (4.3.0)

• Upgrade Spring LDAP from 2.0.2.RELEASE to 2.3.4.RELEASE
• Upgraded guava from 15.0 to 30.1.1-jre
• Fixed wiring issue with ldap at startup

Link Checker (8.2.0)

• Upgraded HttpClient from 3.1 to 5.1

Module Manager (2.3.0)

• Upgraded HttpClient from 3.1 to 5.1
• Improved the refresh handling for modules with dependencies
• Updated packages to fix javascript vulnerabilities

Personal API Tokens (1.1.0)

• Included personal-api-tokens module in the jahia build
• Added the possibility to add scopes when creating a token
• Updated code after GraphQL libraries upgrade (See GraphQL section)
• Updated dependencies after moving Security filter module into a Core bundle
• Fixed issue with previous scope still selected when creating a new token
• Fixed css issue when personal-api-token is deployed

Remote Publication (9.3.0)

• Upgraded guava from 15.0 to 30.1.1-jre
• Upgraded HttpClient from 3.1 to 5.1
• Upgraded Hibernate from 4.2.7.SP1 to 5.5.3.Final

Roles Manager (8.2.0)

• Updated vulnerable dependencies

Search (8.3.0)

• Removed the deprecated Find and FindPrincipal servlets

Security Filter Tools (2.2.0)

• Updated code after GraphQL libraries upgrade (See GraphQL section)
• Updated dependencies after moving Security filter module into a Core bundle

Server Settings (9.4.0)

• Upgraded guava from 15.0 to 30.1.1-jre
• Fixed issue with resource URL leading to a 404

Server Settings EE (9.2.0)

• Upgraded guava from 15.0 to 30.1.1-jre

Site Settings SEO (3.1.0)

• Fixed issue with language dropdown disappearing in a specific use case
• Updated the input component in Content Editor to a more recent one
• Removed the switch between vanity URLs views when there is no vanity
• Removed unnecessary horizontal and vertical bars when editing vanity URL in Content Editor
• Added trim on vanity URLs

 Site Settings SEO (3.0.0)

• Integrate Vanity URL Dashboard in Content Editor
• Added a check to prevent usage of //

Tools (4.0.0)

• Added tool to debug the modules start level
• Upgraded log4j to log4j 2.10.0
• Fixed issue with database connections not released in JCR Integrity Tool

Tools EE (3.2.0)

• Fixed memory issue with jgroups

DX Base Demo Components (2.2.0)

• Upgraded HttpClient from 3.1 to 5.1
• Added jmix:mainResource to jndt:company

Event (3.1.0)

• Added jmix:mainResource to jnt:event

Location (3.1.0)

• Upgraded HttpClient from 3.1 to 5.1
• Removed Geocoder from location module to avoid embedding security flawed HttpClient 3

News (3.3.0)

• Added jmix:mainResource to jnt:news

Person (3.2.0)

• Added jmix:mainResource to jnt:person

Press (3.1.0)

• Added jmix:mainResource to jnt:press