Jahia 8.1.5 Release Notes
What's new?
Jahia 8.1.5 is a maintenance release based on the scope of 8.1.4.0, with added fixes regarding some XSS vulnerability issues identified in the back office interfaces. The breaking changes initially introduced in Jahia 8.1.4.0 have been removed from Jahia 8.1.5.0.
Rewrite rules configuration
use-query-string="true"
was added to keep the query parameters when there's a redirection in Jahia. As it affects all the rewrite rules and all the urls, we made the decision to roll back this change and worked on another fix that only affects rules related to Jahia edit mode. We strongly encourage to upgrade jahia-page-composer to version 1.11.0.Upgrading from a previous version?
Prevent usage of '<' and '>' characters for system names
Starting with Jahia 8.1.5.0, the characters '<' and '>' cannot be used anymore for node names, as they could be used for xss attacks.
Nodes containing these characters may not be editable in Content Editor, as Content Editor 4.3.0 does not allow them for the system name property. The following query can be used to identify nodes containing these characters:
select * from [nt:base] where localname() like '%>%' or localname() like '%<%'
We strongly recommend to rename such nodes proactively, so these characters are not used anymore.
Updated modules and libraries in 8.1.5.0
Library upgrades
The following librairies were updated between Jahia 8.1.4.0 and Jahia 8.1.5.0
Library | Version in Jahia 8.1.4.0 | Version in Jahia 8.1.5.0 |
---|---|---|
Apache Felix Web Console | 4.3.16-jahia1 | 4.3.16-jahia2 |
Updated modules
The following modules were updated between Jahia 8.1.4.0 and Jahia 8.1.5.0
Module | Version in Jahia 8.1.4.0 | Version in Jahia 8.1.5.0 |
---|---|---|
App Shell | 2.8.0 | 2.8.1 |
JCR REST API | 3.1.0 | 3.2.0 |
Profile | 8.0.0 | 8.2.0 |
Site Settings | 8.5.0 | 8.7.0 |
Tools | 4.2.0 | 4.4.0 |
User Dashboard | 8.4.0 | 8.5.0 |
Jahia 8.1.4.0 >> 8.1.5.0 - Changelog
Security
- Prevent usage of '<' and '>' in node names
- Escape characters to protect user properties from XSS attacks
Core
- Improved the GraphQL patch mechanism to wait for the GraphQL service to be available before running the patches
- Avoid resolutions when displaying configurations in the OSGi Configuration Manager
Modules included in the upgrade - Changelog
App Shell (2.8.1)
- Fixed issue with custom login/error pages handling
JCR REST API (3.2.0)
- Prevent usage of '<' and '>' in node names
Profile (8.2.0)
- Protect user properties from XSS attacks
Site Settings (8.7.0)
- Protect user properties from XSS attacks
Tools (4.4.0 depends on Jahia 8.1.4+)
- Fixed issue with target and action not being reset when switching workspace
User Dashboard (8.5.0)
- Protect user properties from XSS attacks
Modules - Changelog
Server Availability Manager (2.6.0)
- Improved ClusterConsistency probe to return cellar state (more details here)