1.5.9 (2018-12-06)
------------------
- Security fixes from Symfony:
- Disclosure of uploaded files full path (CVE-2018-19789).
- Open Redirect Vulnerability when using Security\Http (CVE-2018-19790).
- Vendor updates:
- composer/ca-bundle updated from 1.1.1 to 1.1.3
- doctrine/doctrine-cache-bundle updated from 1.3.3 to 1.3.5
- guzzlehttp/psr7 updated from 1.4.2 to 1.5.2
- jquery.mmenu updated from 7.0.6 to 7.2.2
- monolog/monolog updates from 1.23.0 to 1.24.0
- phpspec/prophecy updated from 1.7.6 to 1.8.0
- psr/log updated from 1.0.2 to 1.1.0
- ralouphie/getallheaders installed in 2.0.5
- sensio/distribution-bundle updated from 5.0.22 to 5.0.23
- sensiolabs/security-checker updated from 4.1.8 to 5.0.1
- symfony/polyfill-* updated from 1.8.0 to 1.10.0
- symfony/symfony updated from 2.8.44 to 2.8.49
- symfony/workflow updated from 3.4.14 to 3.4.20
- vakata/jstree updated from 3.3.5 to 3.3.7
1.5.8 (2018-08-05)
Zikula Core 1.5.8 is available as of today, 05 August, 2018.
Security fixes from Symfony:
Remove support for legacy and risky HTTP headers (CVE-2018-14773).
Possible host header injection when using HttpCache (CVE-2018-14774).
Deprecated:
bootstrap-plus/bootstrap-jqueryui is deprecated and will be removed in 2.1. Use jQuery UI directly.
Fixes:
Unset upgrading flag after successful upgrade (#3899).
Fixed invalid request access in hook controller.
Changed default storage engine in CLI installer to InnoDB (#3909).
Avoid linking to user registration page if registration functionality is disabled.
Use localised date format in user administration list.
Show user account menu on login page (like on registration and forgot xy pages, too).
Moved JavaScript code in several templates into footer area to ensure jQuery is available.
Added maxlength constraint to username field in registration form.
Ensure jQuery UI is loaded before bootstrap (#3912).
Suppress warning in PHP 7.2 if session is accessed before it is regenerated (e.g. during a login) (#3898, #3914).
Fixed wrong modvar reference in ZAuth validator (#3913).
Explicitly specify translation domain in pager templates (#3917).
Explicitly specify translation domain in user mail helper for calls from external modules (#3918).
Avoid information disclosure if database exceptions occur.
Fixed broken user search in Groups administration.
1.5.7 (2018-05-28)
------------------
- Vendor updates:
- gedmo/doctrine-extensions updated from 2.4.33 to 2.4.35
- guzzlehttp/guzzle updated from 6.3.2 to 6.3.3
- phpspec/prophecy updated from 1.7.5 to 1.7.6
- symfony/polyfill-* updated from 1.7.0 to 1.8.0
- symfony/symfony updated from 2.8.38 to 2.8.41
- symfony/workflow updated from 3.4.7 to 3.4.11
1.5.6 (2018-04-13)
------------------
- Fixes:
- Fixed broken fetching of sub categories using legacy category api (#3811).
- Fixed session regeneration warning with PHP 7 (#3886).
- Removed legacy code to enable `cookie_httponly` setting for cookies (#3895).
- Reduced priority of click jack protection listener to execute it later.
- Improved exception handling in legacy layer to remove errors
- Added current request to request stack in admin.php and user.php
- Vendor updates:
- composer/ca-bundle updated from 1.1.0 to 1.1.1
- doctrine/doctrine-cache-bundle updated from 1.3.2 to 1.3.3
- guzzlehttp/guzzle updated from 6.3.0 to 6.3.2
- paragonie/random_compat updated from 2.0.11 to 2.0.12
- sensiolabs/security-checker updated from 4.1.7 to 4.1.8
- symfony/symfony updated from 2.8.34 to 2.8.38
- symfony/workflow updated from 3.4.4 to 3.4.7
- twig/twig updated from 1.35.0 to 1.35.3
1.5.5 (2018-02-24)
BC Breaks:
Removed matthiasnoback/symfony-service-definition-validator (#3885).
Deprecated:
\Zikula\Core\AbstractBundle::getBasePath() is deprecated (#3862).
Fixes:
Fixed wrong request service call in GroupsModule menu (#3874).
Fixed fetching module url from metadata when untranslated (#3876).
Activated translatable fallback for proper handling of content with missing translations.
Added fallback for missing user real names.
Avoid exposure of server pathes in JS assets merger (#3883, #3890).
Fixed missing routes table in CLI upgrade from 1.3.x (#3887, #3888).
Added hints about minimum password length (#3884, #3891).
Fixed broken password strength meter usage in ZAuth administration (#3891).
Vendor updates:
composer/installers updated from 1.4.0 to 1.5.0
doctrine/orm updated from 2.5.13 to 2.5.14
gedmo/doctrine-extensions updated from 2.4.31 to 2.4.33
jquery.mmenu updated from 6.1.8 to 7.0.3
phpspec/prophecy updated from 1.7.3 to 1.7.5
sensio/framework-extra-bundle updated from 3.0.28 to 3.0.29
sensiolabs/security-checker updated from 4.1.6 to 4.1.7
swiftmailer/swiftmailer updated from v5.4.8 to v5.4.9
symfony/polyfill-* updated from 1.6.0 to 1.7.0
symfony/security-acl updated from 3.0.0 to 3.0.1
symfony/symfony updated from 2.8.32 to 2.8.34
symfony/workflow updated from 3.4.1 to 3.4.4
vakata/jstree updated from 3.3.4 to 3.3.5
webmozart/assert updated from 1.2.0 to 1.3.0
willdurand/js-translation-bundle updated from 2.6.5 to 2.6.6
zikula/andreas08-theme updated from 2.0.1 to 2.0.3