Updates for all versions of ExpressionEngine have been released today in order to incorporate several security improvements and critical bug fixes. No sites are known to have been affected by the security issues, all of which are obscure. However, it is a possibility, and therefore this update is recommended for all users.
2.1.3 and 2.1.4 Beta are both build releases that incorporate a Codeigniter security release that improves XSS filtering and sanitization of variables passed in the URL. There are also two ExpressionEngine specific security changes in the new builds: a tightening of the encryption used with the contact form and improved handling of code tags in submitted data.
All Critical-Major bugs existing at the time of the release were also fixed. The full list of 2.1.4 Beta changes can be viewed in the Change Log. Developers should note that the security library should no longer be explicitly loaded. Version 2.1.3 incorporates all of those changes plus the critical bug fixes that had already been added to the Beta:
- Fixed a bug (#14821) where the category tree would not properly sort by a custom order.
- Fixed a bug (#14708) where the control panel login did not redirect with a session ids, breaking access in some cases.
- Fixed a bug (#14417) in the Metaweblog API where categories were not properly entered when creating a new entry.
Version 1.7.1 is a version update that includes the XSS filtering changes and the changes to code tag handling as well as a number of bug fixes. See the change log for a full list of changes.
I would also like to note that this is the last of the “old style” EllisLab releases. We’ve revamped our approach to releases in a way that will allow us to get bug fixes and other small updates out on a much more timely and consistent basis, which will make life better for all of us. You can see some of those changes at work already with the bug fixes included in these releases.
Leslie (EllisLab CEO) and Derek Jones (President/CTO) will be posting more about these changes very soon.