Elgg 1.8.5 is ready for download. This release contains three important security enhancements, so be sure to upgrade as soon as possible to keep your network safe.
The first security fix prevents a potential XSS attack against users who click a specially crafted URL. Credit goes to Yang Dingjie of Qualys, Inc. for finding and reporting this bug. The second fix closes a loophole which allowed users to create a new account without requiring validation. Thanks to Paweł Sroka for reporting this issue. The third fix addresses an access bug that could inadvertently reveal private entities to users who wouldn’t otherwise have access. Fortunately this bug is not exploitable for most Elgg installations. Thanks to Mike Hedman for catching that one.
The following notable bugfixes were made:
The full list can always be found in the CHANGES.txt file. Download Elgg 1.8.5 and upgrade as soon as possible to take advantage of the security improvements and bug fixes.
There were a total of 6 contributing developers for this release:
info@elgg.org
Security issues should be reported to security@elgg.org!
©2014 the Elgg Foundation
Elgg is a registered trademark of Thematic Networks.
Cover image by Raül Utrera is used under Creative Commons license.
Icons by Flaticon and FontAwesome.
Thumbs up regarding the Elgg 1.8 release.
I wonder though... are the security issues only affecting the Elgg 1.8 tree? Is Elgg 1.7 safe?
Thank you all!
Awesome! Thanks!! Great job!
1.7 is safe
@Evan: Thanks for the info.
Currently running 1.8.3 If I simply upload and overwrite the files as it says in upgrade.txt will everything still be there or will I have to manually put everything back in afterwards? For example, the mod file with all plugins I have uploaded? Sorry for the rookie question...
It will overwrite all the core files. All the core functionalities will be still there. If your thirdparty plugins are compatable with 1.8.5 then they will work with out errors. If you have made any core modifications, you will lose them
Thank you, I have several third party plugins, may be best for me to just leave well enough alone for now.
Having plugins is not a problem during upgrades, but if you manually edited any of Elgg's core files or plugins, then upgrading causes problems (which is why we *strongly* discourage you from touching any code you are not actively developing).
I haven't edited anything but I'm not sure if all the third party plugins will be compatable and if they aren't there is no going back down to 1.8.3.
I have a strong suspection that all spam which appeared on Elgg networks used backdoor fixed in this patch (the one reported by Pawel). I advice everyone to upgrade.
@tbevel - You should set up a test environment to test your upgrade so you'll know if the 3rd party plugins work on 1.8.5 or not. This release has very important security fixes, so you really need to upgrade.