Elgg Blog: Elgg 1.8.17 and 1.7.20 Security Releases

Elgg 1.8.17 and 1.7.20 have been released to address a few critical security issues. Be sure to upgrade immediately to protect your sites.

  • A specially-crafted request can return the contents of sensitive files.
  • A reflected XSS attack is possible against 1.8 systems.
  • The cryptographic key used for various purposes may have been generated with weak entropy, particularly on Windows.

​Thanks to Mike Kasper and an anonymous contributor for reporting these vulnerabilities to us privately via security@elgg.org.

1.8.17 also includes tons of other fixes:

  • URLs with non-ASCII usernames again work
  • Floated images are now properly cleared in content areas
  • The activity page title now matches the document title
  • Search again supports multiple comments on the same entity
  • Group member listings are ordered by name
  • Blog archive sidebar now reverse chronological
  • URLs with matching parens can now be auto-linked
  • Log browser links for users now work
  • Disabling over 50 objects should no longer result in an infinite loop
  • The system_log table can now store IPv6 addresses
  • Radio/checkbox inputs no longer have border radius (for IE10)
  • Htmlawed was upgraded to 1.1.16
  • List functions: no need to specify pagination for unlimited queries
  • User picker: the Only Friends checkbox again works
  • Group bookmarklet no longer shown to non-members
  • Widget reordering fixed when moving across columns
  • Web services auth_gettoken() now accepts email address
  • Refuse to deactivate plugins needed as dependencies

Thanks to all contributors who worked on these releases:

  • Brett Profitt
  • Cash Costello
  • Ed Lyons
  • Evan Winslow
  • Jeroen Dalsem
  • Jerome Bakker
  • Juho Jaakkola
  • Matt Beckett
  • Paweł Sroka
  • Sem
  • Steve Clay

If you would like to contribute to an Elgg release, fork our repository at GitHub.

Latest comments