Skip to content

Commit

Permalink
2.4.9 changelog
Browse files Browse the repository at this point in the history
  • Loading branch information
@chillu
chillu committed Dec 4, 2012
1 parent 3be9499 commit 3fad49e
Show file tree
Hide file tree
Showing 2 changed files with 50 additions and 0 deletions.
46 changes: 46 additions & 0 deletions docs/en/changelogs/2.4.9.md
View file
@@ -0,0 +1,46 @@
# 2.4.9 (2012-12-04) #

## Overview ##

This release provides security fixes to make password hashes more secure,
and fixes a regression around duplicated CMS actions.

## Upgrading

Impact of the upgrade:

* Reset password email links generated prior to 2.4.9 will cease to work.
* Users who use the "remember me" login feature will have to log in again.

API changes related security patch 22095dae:

* `Member::generateAutologinHash` is deprecated. You can no longer get the autologin token from `AutoLoginHash` field in `Member`. Instead use the return value of the `Member::generateAutologinTokenAndStoreHash` and do not persist it.
* `Security::getPasswordResetLink` now requires `Member` object as the first parameter. The password reset URL GET parameters have changed from only `h` (for hash) to `m` (for member ID) and `t` (for plaintext token).
* `RandomGenerator::generateHash` will be deprecated with 3.1. Rename the function call to `RandomGenerator::randomToken`.

### Security: Hash autologin tokens before storing in the database.

Severity: Moderate

Autologin tokens (remember me and reset password) are stored in the database as a plain text.
If attacker obtained the database he would be able to gain access to accounts that have requested a password change, or have "remember me" enabled.

## Details

### Bugfixes

* 2012-11-21 [6eb597a](https://github.com/silverstripe/silverstripe-cms/commit/6eb597a) ed travis.yml paths (Ingo Schommer)
* 2012-11-21 [41aec54](https://github.com/silverstripe/silverstripe-cms/commit/41aec54) Consistently use FormResponse in CMS JavaScript (fixes #8036) (Ingo Schommer)
* 2012-11-09 [a2501ad](https://github.com/silverstripe/silverstripe-installer/commit/a2501ad) ed bootstrap.php path in phpunit.xml.dist (Ingo Schommer)

### Other

* 2012-12-04 [2ea9f26](https://github.com/silverstripe/silverstripe-installer/commit/2ea9f26) Support for composer-created themes dir structure (Ingo Schommer)
* 2012-12-04 [75e58c9](https://github.com/silverstripe/silverstripe-cms/commit/75e58c9) More graceful handling of missing GET data in ModelAdmin (Ingo Schommer)
* 2012-12-04 [c802659](https://github.com/silverstripe/silverstripe-installer/commit/c802659) Relaxed composer version requirements so that stable releases can be created. (Sam Minnee)
* 2012-11-28 [9fa3c52](https://github.com/silverstripe/silverstripe-installer/commit/9fa3c52) Exclude vendor/ folder from default phpunit run (Ingo Schommer)
* 2012-11-09 [3f24b0f](https://github.com/silverstripe/silverstripe-cms/commit/3f24b0f) Added README with build status (Ingo Schommer)
* 2012-11-09 [65793e2](https://github.com/silverstripe/silverstripe-cms/commit/65793e2) Added travis support (Ingo Schommer)
* 2012-11-08 [f8e860f](https://github.com/silverstripe/silverstripe-installer/commit/f8e860f) Removed .mergesources.yml, not used since the dark SVN days (Ingo Schommer)
* 2012-11-01 [157a275](https://github.com/silverstripe/silverstripe-installer/commit/157a275) Removed custom repo sources from composer.json (Ingo Schommer)
* 2012-11-01 [7abb6ec](https://github.com/silverstripe/silverstripe-cms/commit/7abb6ec) Added composer.json (Ingo Schommer)
4 changes: 4 additions & 0 deletions docs/en/changelogs/index.md
View file
Expand Up @@ -9,6 +9,10 @@ For information on how to upgrade to newer versions consult the [upgrading](/ins

## Stable Releases

* [2.4.9](2.4.9) - 2012-12-04
* [2.4.8](2.4.8) - 2012-10-30
* [2.4.7](2.4.7) - 2012-02-01
* [2.4.6](2.4.6) - 2011-10-17
* [2.4.5](2.4.5) - 2 February 2011
* [2.4.4](2.4.4) - 21 December 2010
* [2.4.3](2.4.3) - 11 November 2010
Expand Down

0 comments on commit 3fad49e

Please sign in to comment.