Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

2.4.9 changelog

  • Loading branch information...
commit 3fad49e2c00a1334553f0da2ac28ea97b224c2a7 1 parent 3be9499
@chillu chillu authored
Showing with 50 additions and 0 deletions.
  1. +46 −0 docs/en/changelogs/2.4.9.md
  2. +4 −0 docs/en/changelogs/index.md
View
46 docs/en/changelogs/2.4.9.md
@@ -0,0 +1,46 @@
+# 2.4.9 (2012-12-04) #
+
+## Overview ##
+
+This release provides security fixes to make password hashes more secure,
+and fixes a regression around duplicated CMS actions.
+
+## Upgrading
+
+Impact of the upgrade:
+
+* Reset password email links generated prior to 2.4.9 will cease to work.
+* Users who use the "remember me" login feature will have to log in again.
+
+API changes related security patch 22095dae:
+
+* `Member::generateAutologinHash` is deprecated. You can no longer get the autologin token from `AutoLoginHash` field in `Member`. Instead use the return value of the `Member::generateAutologinTokenAndStoreHash` and do not persist it.
+* `Security::getPasswordResetLink` now requires `Member` object as the first parameter. The password reset URL GET parameters have changed from only `h` (for hash) to `m` (for member ID) and `t` (for plaintext token).
+* `RandomGenerator::generateHash` will be deprecated with 3.1. Rename the function call to `RandomGenerator::randomToken`.
+
+### Security: Hash autologin tokens before storing in the database.
+
+Severity: Moderate
+
+Autologin tokens (remember me and reset password) are stored in the database as a plain text.
+If attacker obtained the database he would be able to gain access to accounts that have requested a password change, or have "remember me" enabled.
+
+## Details
+
+### Bugfixes
+
+ * 2012-11-21 [6eb597a](https://github.com/silverstripe/silverstripe-cms/commit/6eb597a) ed travis.yml paths (Ingo Schommer)
+ * 2012-11-21 [41aec54](https://github.com/silverstripe/silverstripe-cms/commit/41aec54) Consistently use FormResponse in CMS JavaScript (fixes #8036) (Ingo Schommer)
+ * 2012-11-09 [a2501ad](https://github.com/silverstripe/silverstripe-installer/commit/a2501ad) ed bootstrap.php path in phpunit.xml.dist (Ingo Schommer)
+
+### Other
+
+ * 2012-12-04 [2ea9f26](https://github.com/silverstripe/silverstripe-installer/commit/2ea9f26) Support for composer-created themes dir structure (Ingo Schommer)
+ * 2012-12-04 [75e58c9](https://github.com/silverstripe/silverstripe-cms/commit/75e58c9) More graceful handling of missing GET data in ModelAdmin (Ingo Schommer)
+ * 2012-12-04 [c802659](https://github.com/silverstripe/silverstripe-installer/commit/c802659) Relaxed composer version requirements so that stable releases can be created. (Sam Minnee)
+ * 2012-11-28 [9fa3c52](https://github.com/silverstripe/silverstripe-installer/commit/9fa3c52) Exclude vendor/ folder from default phpunit run (Ingo Schommer)
+ * 2012-11-09 [3f24b0f](https://github.com/silverstripe/silverstripe-cms/commit/3f24b0f) Added README with build status (Ingo Schommer)
+ * 2012-11-09 [65793e2](https://github.com/silverstripe/silverstripe-cms/commit/65793e2) Added travis support (Ingo Schommer)
+ * 2012-11-08 [f8e860f](https://github.com/silverstripe/silverstripe-installer/commit/f8e860f) Removed .mergesources.yml, not used since the dark SVN days (Ingo Schommer)
+ * 2012-11-01 [157a275](https://github.com/silverstripe/silverstripe-installer/commit/157a275) Removed custom repo sources from composer.json (Ingo Schommer)
+ * 2012-11-01 [7abb6ec](https://github.com/silverstripe/silverstripe-cms/commit/7abb6ec) Added composer.json (Ingo Schommer)
View
4 docs/en/changelogs/index.md
@@ -9,6 +9,10 @@ For information on how to upgrade to newer versions consult the [upgrading](/ins
## Stable Releases
+ * [2.4.9](2.4.9) - 2012-12-04
+ * [2.4.8](2.4.8) - 2012-10-30
+ * [2.4.7](2.4.7) - 2012-02-01
+ * [2.4.6](2.4.6) - 2011-10-17
* [2.4.5](2.4.5) - 2 February 2011
* [2.4.4](2.4.4) - 21 December 2010
* [2.4.3](2.4.3) - 11 November 2010
Please sign in to comment.
Something went wrong with that request. Please try again.