SilverStripe 2.3.6 - Security Release

28 views
Skip to first unread message

Ingo Schommer

unread,
Feb 8, 2010, 12:21:26 AM2/8/10
to SilverStripe Release Announcements
We have a new release of SilverStripe available: 2.3.6

Thanks to everyone who gave us bug reports on our release candidates.
The release is now stable and ready for production use!

Download here: http://www.silverstripe.org/assets/downloads/SilverStripe-v2.3.6.tar.gz
Changelog: http://open.silverstripe.org/wiki/ChangeLog/2.3.6
Post bug reports here: http://open.silverstripe.com

Security related changes:
* XSS in DataObjectSet pagination
* Information disclosure through debug_memory and debug_profile GET
parameters

Thanks,
Ingo Schommer

Ingo Schommer

unread,
Feb 10, 2010, 3:52:07 PM2/10/10
to SilverStripe Release Announcements
Note: The security release includes two API changes which was
necessary unfortunately. They're noted in the changelog already, but
to make this clear:

[98375] HTTP::setGetVar() always returns absolute URLs. Use
Director::makeRelative() to make them relative again. (merged from
r98373)
[98375] HTTP::setGetVar() combines any GET parameters in PHP array
notation (e.g. "foo[bar]=val") instead of replacing the whole array
(merged from r98373)

If you've used HTTP::setGetVar(), please check your sites before
upgrading.

Reply all
Reply to author
Forward
0 new messages