Update: The 2.1.2 and 2.0.4 .zips are now fixed. Upon first release they actually contained 2.1.1..

Elgg 2.1.2, 2.0.4, 1.12.11, and 1.11.6 are now available. These fix a potential security issue that arises when a user remains on a page for over 40 minutes.

This affects all versions of Elgg since 1.8.0. Those who cannot upgrade or run unsupported versions should follow these steps:

1. Open the file js/lib/security.js and scroll to the bottom.
2. Add the line: elgg.security.setToken = null;
3. Save the file.
4. Flush the caches via the admin dashboard.

Note that we will be updating our support policy soon with the result that only the 1.12 and 2.1 branches will receive support and security fixes. You should plan to upgrade to one of these branches as soon as possible.

The CHANGELOG entry for Elgg 2.1.2 follows:

Contributors

• Steve Clay (5)
• Ismayil Khayredinov (4)
• Brett Profitt (1)
• Jerôme Bakker (1)
• iionly (1)

Documentation

• ajax: fixes constructor usage of elgg/Ajax (07c7ce49, closes #9533)

Bug Fixes

• core:
  • elgg_get_plugin_setting() respects defaults for values that haven't been cached or created. (1e141d46, closes #9781)
  • Elgg again uses the dataroot given in settings.php (64c23f70, closes #9602)
• errors: nested forward 404 calls are less likely to abruptly fail (068711fa, closes #9476)
• files: file service now sends 304 and 403 headers more reliably (c9af1790, closes #9571)
• js: deprecate elgg.ui.widgets more reliably (c25c5211, closes #9523)
• logger: logger no longer pollutes serve-file response (8209a38b, closes #9657)
• profile: able to store more information in tag fields (0467e3ff)
• reportedcontent:
  • report form opens in lightbox (6db794ac)
  • clicking on reported content links again opens lightbox (55fa9d5c)
• site: allow access to serve-file handler in walled garden mode (1a8d33a1)