We've just released an incremental update for PivotX 2.3. It contains minor updates and fixes, as well as patches for two recently discovered security issues. While these issues can not be exploited when someone is not logged in in PivotX, we nevertheless recommend this update for all PivotX users. For more information about the security issues / patches, see the page dedicated to Security issues.
These are the changes since PivotX 2.3.2:
- Added some extra sanitychecks to the various file-operations in media-management.
- Bugfix: Closing file disclosure vulnerability reported by Secunia Research. This vulnerability can only be exploited by administrators and hence Secunia decided to not make an advisory for it.
- Bugfix: Closing cross-site scripting vulnerability reported by High-Tech Bridge.
- Updated jQuery to 1.7.2.
- Updated: PHP Markdown to version 1.0.1o.
- Replaced "echo" with "debug" in set_entry when warning about pasting directly from Word.
- Bug fix: Insert dialogs for the editor is now using the current user's language, not the default installation language.
- Relaxing validation for comment notify email field so it allows multiple addresses (like we intended to).
- Added: when the feed_entry and feed_comments hooks return an empty array, the entire entry/comment is skipped in the Feed.
- Added: If config option upload_max_filesize is lower than the server value, use that one
- Changed: MAX_KEYS in spamkiller is now set to 1000
- Added: 'return' parameter to [[category_list]]
- Added: debug statement when an upload is blocked because of wrong file type.
- Fixed: Minor layout fix for the category_list format parameter.
- Fixed: the TimThumb config so it works for multi-site setups again.
- Added: style to hr extended element in tinyMCE / removed 1 of the double defined extended element iframe
- Added: some file extensions so a better download icon is selected when using [[download]]
- Fixed: Correcting widgets page to be similar to extensions page in light of translated strings, display of version
- Fixed: Made the extension check case insensitive in the image preview.
- Added: [[getpage]]now accepts uid / type in textile link
- Fixed: only ignore Smarty cache file if they are in the cache directory
The PivotX 2.3.3 release can be downloaded from this location: pivotx.net/files/pivotx_latest.zip (or pivotx.net/files/pivotx_latest.tgz, if you prefer.tgz files). For setup instructions, we point you to our documentation: Getting the files & installing. If you're having trouble downloading the files, you can also download them from our sourceforge mirror.