@heathdutton heathdutton released this Sep 20, 2018 · 0 commits to staging since this release

Assets 4

This release focuses primarily on stability, but also includes some minor features and performance improvements.

Security Notes

This release fixes 1 security vulnerability:

  • CVE-2018-14773. The IIS-only X_ORIGINAL_URL and X_REWRITE_URL HTTP headers are removed.

Change Log

Features

Enhancements

Bugs

Developer Info

A big thank you to the following community members for contributing to this release by code, bug report, testing and discussion: @alanhartless, @AlbanL74fr, @Araoo, @chamu1986, @chriscalabro, @dbhurley, @Dcoutelle, @dongilbert, @Dreiser, @Enc3phale, @escopecz, @FerRubioMorales, @galvani, @guizero, @heathdutton, @isleshocky77, @IV2KBMoFxYIA, @javjim-mautic, @jimspillane, @johbuch, @KaKite, @KalleVuorjoki, @kuzmany, @LevryKurniawan, @Lologam, @luizeof, @matishaladiwala, @Maxell92, @mbitokhov, @mitresh95, @mleffler, @mqueme, @nartcan, @Noa83, @npracht, @proffalken, @scottshipman, @silsha, @stancel, @vitordesousa, @Woeler, @YosuCadilla, @zofy29

SHA-1: da19d72e138e77f7fb9aaee114c67dab33d7bd3c
Update SHA-1: 70790a4951f61e55ca6f8ce8cc014c9f6af0fd7f

Pre-release
Pre-release

@heathdutton heathdutton released this Sep 6, 2018 · 7 commits to staging since this release

Assets 4

This release focuses primarily on stability, but also includes some minor features and performance improvements.

Remember that this release should NOT be used in a production environment. Set it up in your development environment and give it a good once over. We'd love your feedback!

Full release is planned for 1 week from today. Get any additional bug reports in before then to see your name in the next release!

Security Notes

This release fixes 1 security vulnerability:

  • CVE-2018-14773. The IIS-only X_ORIGINAL_URL and X_REWRITE_URL HTTP headers are removed.

Change Log

Features

Enhancements

Bugs

Developer Info

A big thank you to the following community members for contributing to this release by code, bug report, testing and discussion: @alanhartless, @AlbanL74fr, @Araoo, @chamu1986, @chriscalabro, @dbhurley, @Dcoutelle, @dongilbert, @Dreiser, @Enc3phale, @escopecz, @FerRubioMorales, @galvani, @guizero, @heathdutton, @isleshocky77, @IV2KBMoFxYIA, @javjim-mautic, @jimspillane, @johbuch, @KaKite, @KalleVuorjoki, @kuzmany, @LevryKurniawan, @Lologam, @luizeof, @matishaladiwala, @Maxell92, @mbitokhov, @mitresh95, @mleffler, @mqueme, @nartcan, @Noa83, @npracht, @proffalken, @scottshipman, @silsha, @stancel, @vitordesousa, @Woeler, @YosuCadilla, @zofy29

SHA-1: 6922b6997f7f6aff59c61723c39e0186c696ba9d
Update SHA-1: 8fee92be794756d65069fa259a6d5aaf5bc85bf0

@alanhartless alanhartless released this Jul 25, 2018 · 424 commits to staging since this release

Assets 4

Change Log

Security

  • Prevented updating custom fields that were not set as publicly updateable
  • Fixed theme's Author URL XSS vulnerability (Reported by @joanbono)
  • Fixed company name XSS vulnerability (Reported by @joanbono)

Features

Enhancements

Bugs

Dev Notes

A big thank you to the following community members for contributing to this release either by code or bug report: @alanhartless, @Dcoutelle, @dongilbert, @Dreiser, @Enc3phale, @enguerr, @escopecz, @GaberNeighbor, @GabriGreese, @guillaumedufour, @hammad-tfg, @heathdutton, @isleshocky77, @johbuch, @jonasstinkens, @justinfortes, @kuzmany, @luizeof, @Maxell92, @maxlawton, @Mazzim, @mtahiue, @Noa83, @npracht, @panchtatvam, @r-martins, @rc125, @sarahwernik, @scottshipman, @snoek8, @stoneddesigner, @tadinski, @Woeler, @yrammos

SHA1 for 2.14.0.zip = 1a926d8d3752c85bc3cc2543625d8762e44ca206
SHA1 for 2.14.0-update.zip = faab69da1ad5303523450195838e0ef126104832

Pre-release

@dongilbert dongilbert released this Jul 17, 2018 · 437 commits to staging since this release

Assets 3

The long awaited release is here! We were finally able to herd the cats and now present to you Mautic 2.14.0-beta.

Remember that this release should NOT be used in a production environment. Set it up in your development environment and give it a good once over. We'd love your feedback!

Full release is planned for 2 weeks from today. Get any additional bug reports in before then to see your name in the next release!

Change Log

Features

Enhancements

Bugs

Developer Info

SHA-1: b32453f89cb549b6ce58c8f3fad6eab3a01f3c12

A big thank you to the following community members for contributing to this release either by code or bug report: @alanhartless, @davevurby, @Dcoutelle, @dongilbert, @Dreiser, @enable-jon, @Enc3phale, @enguerr, @escopecz, @GaberNeighbor, @GabriGreese, @guillaumedufour, @hammad-tfg, @heathdutton, @isleshocky77, @johbuch, @jonasstinkens, @justinfortes, @kuzmany, @luizeof, @Maxell92, @maxlawton, @Mazzim, @mtahiue, @Noa83, @npracht, @panchtatvam, @r-martins, @rc125, @renjith341, @sarahwernik, @scottshipman, @snoek8, @stoneddesigner, @tadinski, @Woeler, @yrammos

@alanhartless alanhartless released this Apr 24, 2018 · 1343 commits to staging since this release

Assets 4

Change Log

Enhancements

Bugs

Developer Notes

A big thank you to the following community members for contributing to this release either by code or bug report: @alanhartless, @Dreiser, @escopecz, @Flavio1998, @GaberNeighbor, @galvani, @hafeezhameed, @johbuch, @kuzmany, @Maxell92, @npracht, @rowlandhill

SHA1: 330094d1017d164d08cf2f4143ed9ece039506c6

@alanhartless alanhartless released this Apr 17, 2018 · 1454 commits to staging since this release

Assets 4

Security Notices

  1. [CVE-2018-8092] Closed the possibility of a CSV injection with exported contact lists - https://www.owasp.org/index.php/CSV_Injection (Reported by @joanbono with Accenture’s Prague TVM Team)
  2. [CVE-2018-8071] Closed a XSS vulnerability injected into the UI through the title of a dashboard widget (Reported by @joanbono with Accenture’s Prague TVM Team)
  3. [CVE-2018-8071] Closed a XSS vulnerability injected into the UI through a theme config file (Reported by @joanbono with Accenture’s Prague TVM Team)
  4. [CVE-2018-10189] Closed the possibility of hijacking sessions due to tracking contacts by an auto-incremented ID. This allowed 3rd party to systematically emulate sessions for contacts which could allow them to glean information about the contacts through a form leveraging progressive profiling. Contacts are now tracked by a unique device ID although the old cookies are still made available to the browser for BC purposes. (Reported by @micschk).

Note: The feature Identify visitor by tracking url is still subject to vulnerability number 4 above. New installations now have it disabled by default but existing installations had it enabled. Therefore, if you are not using this feature, have the email custom field set as publicly updatable, and are leveraging form progressive profiling, please disable Identify visitor by tracking url in Mautic's configuration's Tracking Settings.

(CVEs are pending)

Change Log

Features

  • #5854 Added plugin support for 3rd party SMS transports (@galvani)
  • #5797 Added new API endpoint to send a SMS to contact (@kuzmany)
  • #5794 Added plugin to integrate with Zapier per their app requirements (@escopecz)
  • #5644 Added ability to clone segments (@davevurby)
  • #5379 Track the source that created and identified a contact (displayed in the contact's History timeline) (@Dreiser)
  • #4800 New campaign condition based on a contact's campaign membership (@kuzmany)

Enhancements

  • #5790 Display URL custom fields with hyperlinks (@heathdutton)
  • #5730 Added support to add no-index header to landing pages (@kuzmany)
  • #5667 Added support to add no-index header to assets (@kuzmany)
  • #5715 Added chunking options to the broadcast command (@escopecz)
  • #5611 Added support to update company fields in tracking code (@kuzmany)
  • #5437 Implemented lead device tracking rather than contact ID tracking (@Dreiser)
  • #4732 Option to set contact as the reply to for the send form results post submit action (@captivea-ylb)
  • #5718 Updated vendors to latest patch versions (@escopecz)
  • #5621 Require OpenSSL for new installations and removed mcrypt as required (@Dreiser)
  • #5582 Improved campaign progress statistics user interface (@renjith341)

Bugs

  • #5842 Fixed CRM not mapping company custom fields for new companies (@alanhartless)
  • #5841 Fixed bug in SF that did not use the nextUrl when syncing more than 2K and use SystemModStamp instead of LastModifiedDate (@alanhartless)
  • #5840 Only push companies for integration syncs if push is enabled (@alanhartless)
  • #5838 Added custom field alias constraint for database special keywords to prevent query errors (@escopecz)
  • #5835 Escape backslashes in company names (and just in case, contact emails) to prevent Salesforce query errors (@alanhartless)
  • #5834 Fixed issue with batch deleting custom fields where schema remained intact (@alanhartless)
  • #5812 Import command when delayed will return success instead of failure (@escopecz)
  • #5807 Save email stats before sending to ensure stat is available for emails sent immediately (@alanhartless)
  • #5804 Add lead to the log only after persisted to avoid cascade persist error (@escopecz)
  • #5800 Fixed email tokens that did not hydrate company data (@alanhartless)
  • #5762 Use appropriate for loop on preEventDeliveryQueue array instead of for…in (@dongilbert)
  • #5758 Fix social login with automatic generate form html code (@kuzmany)
  • #5754 Fixed case where special characters in forms embedded on landing pages may not show (@kuzmany)
  • #5752 Fixed issue with extending forms where data was not passed to the FormField through the $options array (@kuzmany)
  • #5750 Fixed setting contact's owner and stage via API (@escopecz)
  • #5741 Fixed email dynamic content owner lookup (@kuzmany)
  • #5735 Replace the use of eval-based JavaScript (@Flavien)
  • #5702 Fixed the UI for Form Field properties tab (@kuzmany)
  • #5701 Fixed problem with MailjetTransport header X-MJ-CUSTOMID (@XRaccourci)
  • #5697 Fix pending count on segment email (@Dcoutelle)
  • #5676 Prevented a PHP Notice, Undefined variable: companyFields (@escopecz)
  • #5675 Update the contact's primary company name after company name changed (@kuzmany)
  • #5666 Fixed API activity date filters (@Noa83)
  • #5620 Fixed Froala code view editor where image CSS was getting stripped (@GaberNeighbor)
  • #5616 Fixed multi-select field matching with SugarCRM (@stancel)
  • #5599 Prevent errors if trying to execute subsequent actions for a contact just removed from a campaign (@kuzmany)
  • #5551 Fix multiselect custom field in campaign condition (@kuzmany)
  • #5545 Fixed vTiger mapping issue (@kuzmany)
  • #5533 Fixed segmenting contacts based multi-select custom fields (@kuzmany)
  • #5520 Prevented creating duplicate contacts through the API due to sanitizing unique identifiers after checking for existing (@escopecz)
  • #5304 Fixed generated HTML for forms embedded into focus items (@kuzmany)
  • #5291 Added Zoho unit tests (@Dcoutelle)
  • #5258 Fixed syncing multi-select fields with Pipedrive (@kuzmany)

Developer notes

A big thank you to the following community members for contributing to this release either by code or bug report: @alanhartless, @brandner, @calevans, @captivea-ylb, @chendwww, @chrisinf, @coffeverton, @davevurby, @Dcoutelle, @dongilbert, @Dreiser, @dsp76, @escopecz, @Flavien, @GaberNeighbor, @galvani, @heathdutton, @joanbono, @johbuch, @justinfortes, @KaKite, @kuzmany, @manishbhatias, @micschk, @mMuck, @mrerich, @Noa83, @npracht, @renjith341, @rowlandhill, @sarahwernik, @stancel, @XRaccourci, @YannickBiet, @yourdigitalclub

SHA1: fc130eefbde2eb22a4d1de3aa5815b98c177d782

Pre-release

@alanhartless alanhartless released this Apr 9, 2018 · 1490 commits to staging since this release

Assets 4

Change Log

Features

  • #5854 Added plugin support for 3rd party SMS transports (@galvani)
  • #5797 Added new API endpoint to send a SMS to contact (@kuzmany)
  • #5794 Added plugin to integrate with Zapier per their app requirements (@escopecz)
  • #5644 Added ability to clone segments (@davevurby)
  • #5379 Track the source that created and identified a contact (displayed in the contact's History timeline) (@Dreiser)
  • #4800 New campaign condition based on a contact's campaign membership (@kuzmany)

Enhancements

  • #5790 Display URL custom fields with hyperlinks (@heathdutton)
  • #5730 Added support to add no-index header to landing pages (@kuzmany)
  • #5667 Added support to add no-index header to assets (@kuzmany)
  • #5715 Added chunking options to the broadcast command (@escopecz)
  • #5611 Added support to update company fields in tracking code (@kuzmany)
  • #5437 Implemented lead device tracking rather than contact ID tracking (@Dreiser)
  • #4732 Option to set contact as the reply to for the send form results post submit action (@captivea-ylb)
  • #5718 Updated vendors to latest patch versions (@escopecz)
  • #5621 Require OpenSSL for new installations and removed mcrypt as required (@Dreiser)
  • #5582 Improved campaign progress statistics user interface (@renjith341)

Bugs

  • #5842 Fixed CRM not mapping company custom fields for new companies (@alanhartless)
  • #5841 Fixed bug in SF that did not use the nextUrl when syncing more than 2K and use SystemModStamp instead of LastModifiedDate (@alanhartless)
  • #5840 Only push companies for integration syncs if push is enabled (@alanhartless)
  • #5838 Added custom field alias constraint for database special keywords to prevent query errors (@escopecz)
  • #5835 Escape backslashes in company names (and just in case, contact emails) to prevent Salesforce query errors (@alanhartless)
  • #5834 Fixed issue with batch deleting custom fields where schema remained intact (@alanhartless)
  • #5812 Import command when delayed will return success instead of failure (@escopecz)
  • #5807 Save email stats before sending to ensure stat is available for emails sent immediately (@alanhartless)
  • #5804 Add lead to the log only after persisted to avoid cascade persist error (@escopecz)
  • #5800 Fixed email tokens that did not hydrate company data (@alanhartless)
  • #5762 Use appropriate for loop on preEventDeliveryQueue array instead of for…in (@dongilbert)
  • #5758 Fix social login with automatic generate form html code (@kuzmany)
  • #5754 Fixed case where special characters in forms embedded on landing pages may not show (@kuzmany)
  • #5752 Fixed issue with extending forms where data was not passed to the FormField through the $options array (@kuzmany)
  • #5750 Fixed setting contact's owner and stage via API (@escopecz)
  • #5741 Fixed email dynamic content owner lookup (@kuzmany)
  • #5735 Replace the use of eval-based JavaScript (@Flavien)
  • #5702 Fixed the UI for Form Field properties tab (@kuzmany)
  • #5701 Fixed problem with MailjetTransport header X-MJ-CUSTOMID (@XRaccourci)
  • #5697 Fix pending count on segment email (@Dcoutelle)
  • #5676 Prevented a PHP Notice, Undefined variable: companyFields (@escopecz)
  • #5675 Update the contact's primary company name after company name changed (@kuzmany)
  • #5666 Fixed API activity date filters (@Noa83)
  • #5620 Fixed Froala code view editor where image CSS was getting stripped (@GaberNeighbor)
  • #5616 Fixed multi-select field matching with SugarCRM (@stancel)
  • #5599 Prevent errors if trying to execute subsequent actions for a contact just removed from a campaign (@kuzmany)
  • #5551 Fix multiselect custom field in campaign condition (@kuzmany)
  • #5545 Fixed vTiger mapping issue (@kuzmany)
  • #5533 Fixed segmenting contacts based multi-select custom fields (@kuzmany)
  • #5520 Prevented creating duplicate contacts through the API due to sanitizing unique identifiers after checking for existing (@escopecz)
  • #5304 Fixed generated HTML for forms embedded into focus items (@kuzmany)
  • #5291 Added Zoho unit tests (@Dcoutelle)
  • #5258 Fixed syncing multi-select fields with Pipedrive (@kuzmany)

Developer notes

A big thank you to the following community members for contributing to this release either by code or bug report: @alanhartless, @brandner, @calevans, @captivea-ylb, @chendwww, @chrisinf, @coffeverton, @davevurby, @Dcoutelle, @dongilbert, @Dreiser, @dsp76, @escopecz, @Flavien, @GaberNeighbor, @galvani, @heathdutton, @johbuch, @justinfortes, @KaKite, @kuzmany, @manishbhatias, @mMuck, @mrerich, @Noa83, @npracht, @renjith341, @rowlandhill, @sarahwernik, @stancel, @XRaccourci, @YannickBiet, @yourdigitalclub

SHA1: c18cf1fdcb1fc57074fcf051218cf81193aa1f28

@Gregy Gregy released this Feb 27, 2018 · 1756 commits to staging since this release

Assets 4

Security Notes

This release fixes 2 security vulnerabilities.

  1. SQL injection vulnerability when fetching asset file size reported by Victor Odiah
  2. AJAX POST requests CSRF vulnerability reported by Victor Odiah

Enhancements

Change Log

Bugs

Developer

SHA1: 081b467829b9cc3ddb81f90d855e31e9da6535ab

A big thank you to the following community members for contributing to this release either by code or bug report: @4evermaat, @alanhartless, @arturu, @chrisschrijver, @davevurby, @dbhurley, @dongilbert, @Dreiser, @escopecz, @gingerling, @hason, @johbuch, @kuzmany, @marcel-ambta, @matishaladiwala, @Maxell92, @MaxWebmecanik, @mikerowe81, @Noa83, @npracht, @phil-davis, @sarahwernik, @shulard, @thomeudt, @XRaccourci

Pre-release

@alanhartless alanhartless released this Jan 25, 2018 · 1772 commits to staging since this release

Assets 4

Change Log

Enhancements

Bugs

Developer

SHA1: 8de03ac54e207c1d9dc87778402e79a617f8baa5

A big thank you to the following community members for contributing to this release either by code or bug report: @4evermaat, @alanhartless, @arturu, @chrisschrijver, @davevurby, @dbhurley, @dongilbert, @Dreiser, @escopecz, @gingerling, @hason, @johbuch, @kuzmany, @marcel-ambta, @matishaladiwala, @Maxell92, @MaxWebmecanik, @mikerowe81, @Noa83, @npracht, @phil-davis, @sarahwernik, @shulard, @thomeudt, @XRaccourci

@alanhartless alanhartless released this Jan 4, 2018 · 1874 commits to staging since this release

Assets 4

Change Log

Enhancements

Bugs

Developer Info

SHA1 Hash: 68eae0b27442b32f24d41cb4bea8fbfaa2f9772e

A big thank you to the following community members for contributing to this release either by code or bug report: @alanhartless, @cklingsporn, @dantearaujo, @dbhurley, @Dcoutelle, @dongilbert, @escopecz, @howlinghuffy, @isleshocky77, @johbuch, @justinfortes, @kuzmany, @luizeof, @lvnilesh, @maltonite, @Maxell92, @micschk, @phil-davis, @RCheesley, @renjith341, @robwent, @VitorSavedra, @zhakid