mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-22 14:05:37 +02:00
2.4.9 changelog
This commit is contained in:
parent
3be9499c3a
commit
3fad49e2c0
46
docs/en/changelogs/2.4.9.md
Normal file
46
docs/en/changelogs/2.4.9.md
Normal file
@ -0,0 +1,46 @@
|
|||||||
|
# 2.4.9 (2012-12-04) #
|
||||||
|
|
||||||
|
## Overview ##
|
||||||
|
|
||||||
|
This release provides security fixes to make password hashes more secure,
|
||||||
|
and fixes a regression around duplicated CMS actions.
|
||||||
|
|
||||||
|
## Upgrading
|
||||||
|
|
||||||
|
Impact of the upgrade:
|
||||||
|
|
||||||
|
* Reset password email links generated prior to 2.4.9 will cease to work.
|
||||||
|
* Users who use the "remember me" login feature will have to log in again.
|
||||||
|
|
||||||
|
API changes related security patch 22095dae:
|
||||||
|
|
||||||
|
* `Member::generateAutologinHash` is deprecated. You can no longer get the autologin token from `AutoLoginHash` field in `Member`. Instead use the return value of the `Member::generateAutologinTokenAndStoreHash` and do not persist it.
|
||||||
|
* `Security::getPasswordResetLink` now requires `Member` object as the first parameter. The password reset URL GET parameters have changed from only `h` (for hash) to `m` (for member ID) and `t` (for plaintext token).
|
||||||
|
* `RandomGenerator::generateHash` will be deprecated with 3.1. Rename the function call to `RandomGenerator::randomToken`.
|
||||||
|
|
||||||
|
### Security: Hash autologin tokens before storing in the database.
|
||||||
|
|
||||||
|
Severity: Moderate
|
||||||
|
|
||||||
|
Autologin tokens (remember me and reset password) are stored in the database as a plain text.
|
||||||
|
If attacker obtained the database he would be able to gain access to accounts that have requested a password change, or have "remember me" enabled.
|
||||||
|
|
||||||
|
## Details
|
||||||
|
|
||||||
|
### Bugfixes
|
||||||
|
|
||||||
|
* 2012-11-21 [6eb597a](https://github.com/silverstripe/silverstripe-cms/commit/6eb597a) ed travis.yml paths (Ingo Schommer)
|
||||||
|
* 2012-11-21 [41aec54](https://github.com/silverstripe/silverstripe-cms/commit/41aec54) Consistently use FormResponse in CMS JavaScript (fixes #8036) (Ingo Schommer)
|
||||||
|
* 2012-11-09 [a2501ad](https://github.com/silverstripe/silverstripe-installer/commit/a2501ad) ed bootstrap.php path in phpunit.xml.dist (Ingo Schommer)
|
||||||
|
|
||||||
|
### Other
|
||||||
|
|
||||||
|
* 2012-12-04 [2ea9f26](https://github.com/silverstripe/silverstripe-installer/commit/2ea9f26) Support for composer-created themes dir structure (Ingo Schommer)
|
||||||
|
* 2012-12-04 [75e58c9](https://github.com/silverstripe/silverstripe-cms/commit/75e58c9) More graceful handling of missing GET data in ModelAdmin (Ingo Schommer)
|
||||||
|
* 2012-12-04 [c802659](https://github.com/silverstripe/silverstripe-installer/commit/c802659) Relaxed composer version requirements so that stable releases can be created. (Sam Minnee)
|
||||||
|
* 2012-11-28 [9fa3c52](https://github.com/silverstripe/silverstripe-installer/commit/9fa3c52) Exclude vendor/ folder from default phpunit run (Ingo Schommer)
|
||||||
|
* 2012-11-09 [3f24b0f](https://github.com/silverstripe/silverstripe-cms/commit/3f24b0f) Added README with build status (Ingo Schommer)
|
||||||
|
* 2012-11-09 [65793e2](https://github.com/silverstripe/silverstripe-cms/commit/65793e2) Added travis support (Ingo Schommer)
|
||||||
|
* 2012-11-08 [f8e860f](https://github.com/silverstripe/silverstripe-installer/commit/f8e860f) Removed .mergesources.yml, not used since the dark SVN days (Ingo Schommer)
|
||||||
|
* 2012-11-01 [157a275](https://github.com/silverstripe/silverstripe-installer/commit/157a275) Removed custom repo sources from composer.json (Ingo Schommer)
|
||||||
|
* 2012-11-01 [7abb6ec](https://github.com/silverstripe/silverstripe-cms/commit/7abb6ec) Added composer.json (Ingo Schommer)
|
@ -9,6 +9,10 @@ For information on how to upgrade to newer versions consult the [upgrading](/ins
|
|||||||
|
|
||||||
## Stable Releases
|
## Stable Releases
|
||||||
|
|
||||||
|
* [2.4.9](2.4.9) - 2012-12-04
|
||||||
|
* [2.4.8](2.4.8) - 2012-10-30
|
||||||
|
* [2.4.7](2.4.7) - 2012-02-01
|
||||||
|
* [2.4.6](2.4.6) - 2011-10-17
|
||||||
* [2.4.5](2.4.5) - 2 February 2011
|
* [2.4.5](2.4.5) - 2 February 2011
|
||||||
* [2.4.4](2.4.4) - 21 December 2010
|
* [2.4.4](2.4.4) - 21 December 2010
|
||||||
* [2.4.3](2.4.3) - 11 November 2010
|
* [2.4.3](2.4.3) - 11 November 2010
|
||||||
|
Loading…
Reference in New Issue
Block a user