Elgg 1.8.17 and 1.7.20 have been released to address a few critical security issues. Be sure to upgrade immediately to protect your sites.
Thanks to Mike Kasper and an anonymous contributor for reporting these vulnerabilities to us privately via security@elgg.org.
1.8.17 also includes tons of other fixes:
Thanks to all contributors who worked on these releases:
If you would like to contribute to an Elgg release, fork our repository at GitHub.
info@elgg.org
Security issues should be reported to security@elgg.org!
©2014 the Elgg Foundation
Elgg is a registered trademark of Thematic Networks.
Cover image by Raül Utrera is used under Creative Commons license.
Icons by Flaticon and FontAwesome.
aha, thanks! :)
can anyone enlighten me as to what this is?
E.g. http://en.wikipedia.org/wiki/Elgg_(software) should be auto-linked.
can we click upgrade.php and it will be auto updated like wordpress? So we need to copy over files then enter all database settings again and all other stuff is there nstructions for upgrading please
@UK. https://www.google.com/search?q=upgrading+elgg
ok thanks
so i have run the upgrade here, all is ok so far.
i am wondering what you are referring to with the phrase above 'The cryptographic key'? - i only think of cryptrographic key in terms of encryption - yet i am not aware of elgg using an encrypted key within core code. is this issue resolved by the 'site secret' page i now see linked in the settings list in the admin area? do i need to do any more than just press the 'regenerate site secret' option? (or is this intended to remain secret) ;)
ah great.. the issue with lazy loading images on the activity page not loading on first page load (in chromium browser) is resolved now..
edit: no it's not.. lol.. :(
updated all done and i didnt need to change any settings just some custom things in the core i previosly edited
what is this?
Settings : Site Secret
Here is what you copy into your elgg folder or eg: site.com or eg: public_html folder No need to change any settings just copy over old files click flush caches then click upgrade after thats it!
Uploaded with ImageShack.us
thnks guys for a nice update in the starting of a new year..............:)
sorry i forgot to say thank you too! A BIG thank you to everyone who updated elgg and now elgg has a new official version! I really appreciate everyones time and effort that has gone into the new official elgg version it is a very good begining to the new year : )
The site secret is a core cryptographic key created during installation. The primary motivation for exposing this was that the keys produced were particularly weak on Windows machines, but we didn't want to force regeneration during the upgrade.
Quick question: instead of regular upgrading by overwriting, I would like to do a fesh install on a server with an existing Elgg 1.8.14 database. Is this going to be problematic or can I just point the new Elgg install to the exisiting database during install (without overwriting the data of course)? Thx.
thanks elgg.but we are waiting for 1.9
@Krischan: you can't point to an existing database during installation. If you want to use an existing database it's always an "update". The database credentials are saved in engine/settings.php. What you could do is delete the Elgg core files of Elgg 1.8.14 from your installation folder (keeping settings.php, .htaccess and 3rd party plugins' folders in mod) and only afterwards copy the new Elgg 1.8.20 files to the installation folder. Then check for changes between your .htaccess and the new htaccess_dist and update your .htaccess if necessary. Lastly run the upgrade script and your on the new version without any possible outdated core files remaining. If you want to do a "fresh" install with another Elgg installation folder location and continue to use your database and data directory nonetheless, you would have to modify some database entries as described in the instructions at http://docs.elgg.org/wiki/DuplicateInstallation.
@v06: bad idea. There are "security fixes" included in 1.8.20! And even if Elgg 1.9 would be out tomorrow (which will not happen) it will most likely still take a while until the 3rd party plugins you might use are updated. In the meantime your site is exposed to the security issues that are now known.
@iionly don't you mean 1.8.17, not 1.8.20? or maybe you're mistaking it for 1.7.20? anyways great update guys!
@Cim: ah yes... mixed up with 1.7.20. Of course, I meant 1.8.17. :-)
UPDATE WITH YOUR HOSTING SCRIPT INSTALLER EG: SOFTLICIOUS i have a few probs site is having a few small problems but its working ok just when i send a message or go to another part of the site i get a dead page not found etc then i refresh and its ok.
I clicked generate for this below and now my site errors sometimes when i navigate to a different page
Settings : Site Secret
my problem is now solved it looks like : ) clicked flush cahces then upgrade 3 times cleared browser cache etc and now its ok
@Michele: I added an issue about the notification issue this morning: https://github.com/Elgg/Elgg/issues/6309.
@MIchele: the code snippet I posted on github in a comment to the notification issue (https://github.com/Elgg/Elgg/issues/6309) is the change that I made to get the notifications working again. This code is in the notify_user() function in enginge/lib/notifications.php. Actually I just added the line
in the foreach loop.
If this is the best way to solve the issue remains to be decided by the core devs.
@michele I'm not able to reproduce the IE11 issue. I tested with Win7 though.
what changes need to be done for sending notification ??
@sathishkumar Just fix it