 |
|
You are here: Foswiki>Download Web>FoswikiRelease02x01x07 (04 Apr 2022, MichaelDaum)Edit Attach
Foswiki archived release
This release is superseded by Foswiki 2.1.8. Visit the download page.Table of Contents
Security alerts or advisories apply to this release: - CVE-2023-24698: Local file inclusion vulnerability in viewfile
- CVE-2023-33756: SpreadSheetPlugin's EVAL feature exposes infromation about paths and files on the server
Download
GPG Signatures and MD5 checksums are provided for verifying the integrity of the files for the primary download packages.| File | GPG | MD5 | Description |
|---|---|---|---|
 Foswiki-2.1.7.tgz |
GPG | MD5 | tar gz version of Foswiki |
| Foswiki-2.1.7.zip |
GPG | MD5 | zip version of Foswiki |
Upgrade packages
If you already have an earlier version of Foswiki 1.1.X installed, you can extract an upgrade package on top of the installation. Themajor.minor part of the release should not be changed by an upgrade package.
Upgrade packages must not be used to upgrade older releases.
| File | GPG | MD5 | Description |
|---|---|---|---|
| Foswiki-upgrade-2.1.7.tgz |
GPG | MD5 | upgrade tar gz version of Foswiki |
| Foswiki-upgrade-2.1.7.zip |
GPG | MD5 | upgrade zip version of Foswiki |
%STARTSECTION{"download-none"}%
<blockquote class="foswikiAlert"> *This release has not been built yet!* This is a draft of the release announcement. If you want an early start to testing, see Development.GitBasedInstall.</blockquote>
%ENDSECTION{"download-none"}%
%STARTSECTION{"download-topic"}%
%INCLUDE{"Download.FoswikiReleaseViewTemplate" section="download"
release="%FORMFIELD{"Release" topic="%BASETOPIC%"}%"
url="%PUBURLPATH%/%BASEWEB%/%BASETOPIC%"
upgraded=""
upgrade=""
}%
%ENDSECTION{"download-topic"}%
%STARTSECTION{"download-topic-upgrade"}%
%INCLUDE{"Download.FoswikiReleaseViewTemplate" section="download"
release="%FORMFIELD{"Release" topic="%BASETOPIC%"}%"
url="%PUBURLPATH%/%BASEWEB%/%BASETOPIC%"
upgraded="upgrade-"
upgrade="upgrade"
}%
%ENDSECTION{"download-topic-upgrade"}%
%STARTSECTION{"download-sourceforge"}%
%INCLUDE{"Download.FoswikiReleaseViewTemplate" section="download"
release="%FORMFIELD{"Release" topic="%BASETOPIC%"}%"
url="http://sourceforge.net/projects/foswiki/files/foswiki/%FORMFIELD{"Release" topic="%BASETOPIC%"}%"
upgraded=""
upgrade=""
}%
%ENDSECTION{"download-sourceforge"}%
%STARTSECTION{"download-sourceforge-upgrade"}%
%INCLUDE{"Download.FoswikiReleaseViewTemplate" section="download"
release="%FORMFIELD{"Release" topic="%BASETOPIC%"}%"
url="http://sourceforge.net/projects/foswiki/files/foswiki/%FORMFIELD{"Release" topic="%BASETOPIC%"}%"
upgraded="upgrade-"
upgrade="upgrade"
}%
%ENDSECTION{"download-sourceforge-upgrade"}%
%STARTSECTION{"download-github"}%
%INCLUDE{"Download.FoswikiReleaseViewTemplate" section="download"
release="%FORMFIELD{"Release" topic="%BASETOPIC%"}%"
url="https://github.com/foswiki/distro/releases/download/%FORMFIELD{"ReleaseTag" topic="%BASETOPIC%"}%"
upgraded=""
upgrade=""
}%
%ENDSECTION{"download-github"}%
%STARTSECTION{"download-github-upgrade"}%
%INCLUDE{"Download.FoswikiReleaseViewTemplate" section="download"
release="%FORMFIELD{"Release" topic="%BASETOPIC%"}%"
url="https://github.com/foswiki/distro/releases/download/%FORMFIELD{"ReleaseTag" topic="%BASETOPIC%"}%"
upgraded="upgrade-"
upgrade="upgrade"
}%
%ENDSECTION{"download-github-upgrade"}%
%STARTSECTION{"download"}%
%TABLE{sort="off"}%
| *File* | *GPG* | *MD5* | *Description* |
| [[%url%/Foswiki-%upgraded%%release%.tgz][%ICON{download}% Foswiki-%upgraded%%release%.tgz]] | [[%url%/Foswiki-%upgraded%%release%.tgz.asc][GPG]] | [[%url%/Foswiki-%release%.md5][MD5]] | %upgrade% tar gz version of Foswiki |
| [[%url%/Foswiki-%upgraded%%release%.zip][%ICON{download}% Foswiki-%upgraded%%release%.zip]] | [[%url%/Foswiki-%upgraded%%release%.zip.asc][GPG]] | [[%url%/Foswiki-%release%.md5][MD5]] | %upgrade% zip version of Foswiki |%IF{"'%upgraded%'='' and '%FORMFIELD{"VMImage" topic="%BASETOPIC%"}%'='1'" then="
| [[%url%/Foswiki-%release%-vmware.%FORMFIELD{"VMFormat" topic="%BASETOPIC%"}%][%ICON{download}% Foswiki-%release%-vmware.%FORMFIELD{"VMFormat" topic="%BASETOPIC%"}%]] | [[%url%/Foswiki-%release%-vmware.%FORMFIELD{"VMFormat" topic="%BASETOPIC%"}%.asc][GPG]] | [[%url%/Foswiki-%release%-vmware.md5][MD5]] | [[Support.VirtualMachineImages][VM Image (instructions)]] |"}%%ENDSECTION{"download"}%
%STARTSECTION{"upgrade-header"}%
---++ Upgrade packages
%IF{"'%BASETOPIC%'/UpgradeFrom=''"
else="These packages can be used to upgrade __Foswiki Release %FORMFIELD{"UpgradeFrom" topic="%BASETOPIC%"}% or newer__. See [[#Upgrade_Instructions]] for further information"
then="If you already have an earlier version of Foswiki %FORMFIELD{"ReleaseMajor" topic="%BASETOPIC%"}%.%FORMFIELD{"ReleaseMinor" topic="%BASETOPIC%"}%.X installed, you can extract an upgrade package on top of the installation. The =major.minor= part of the release should not be changed by an upgrade package."}%
%X% Upgrade packages must not be used to upgrade older releases.
%ENDSECTION{"upgrade-header"}%
Getting help & providing feedback
Don't forget to use the upgrade or installation guides. If you need help, there are several options:- The IRC channel
- foswiki-discuss mailing list
- Support forum
- Paid support
- File a new task for bug reports
- Create, review or comment on feature proposals to help influence the future of Foswiki
- Chat with other users, developers, translators, and testers on our friendly IRC channel
- If E-mail is more your thing, try our foswiki-discuss mailing list
Highlights of this release
Multiple cross-site scripting vulnerability in jQuery and jQuery UI
These fixes are described in- CVE-2021-41182: XSS in the `altField` option of the Datepicker widget in jQuery UI < 1.30.0
- CVE-2021-41183: XSS in `*Text` options of the Datepicker widget in jQuery UI < 1.30.0
- CVE-2021-41184: XSS in the `of` option of the `.position()` util in jQuery UI &kt; 1.30.0
- CVE-2016-7103: XSS in closeText option of Dialog in jQuery UI < 1.12.0
- Fixes for CVE-2015-9251 and CVE-2019-11358 have been backported from jquery-3.x to jquery-2.x which is being used by default
Regular Expression Denial of Service vulnerability in jquery.validate
Details in CVE-2021-21252Possible server site request forgery exposing the session id
For decades Foswiki and TWiki had ways to access the session id of a user and make it available on a wiki page using the%SESSIONID macro.
Anybody that has got access to a session id can use this session in behalf of the user that is associated with it.
There are multiple ways to leak this information to the outside using this macro. Therefore the two related macros %SESSIONID and %SESSIONVAR
are deprecated for security reasons and have been disabled by default using the {Sessions}{HideSessionVariable} setting. Note that these macros
will be removed completely in the next minor release.
QUERY macro does not check access rights
While macros such as%FORMFIELD only allowed access only to information the current user has got view rights for, the %QUERY macro does not.
Reimplementation of livequery using mutation observer
The LiveQuery module is at the core of Foswiki's javascript framework, alas was abandoned upstream. In the meantime modern browsers now
all support a feature called "mutation observer" to monitor changes to the DOM in an efficient standardized way. Thus a new module called Observer has been implemented
on this base to initialize javascript modules in a declarative way as it has been done before using LiveQuery.
The following issues have been reported against FoswikiRelease02x01x07. Tasks in "Closed" or "Waiting for Release" state will be fixed in the next release.
Detailed list
Security Fixes
| # | Task | Component | Summary |
|---|---|---|---|
| 1 | Item15061 | JQueryPlugin | multiple cross-site scripting vulnerability in jQuery UI |
| 2 | Item15048 | LoginManager | disable access to sessionid |
| 3 | Item15033 | JQueryPlugin | update jquery.validate |
| 4 | Item15024 | QUERY | QUERY macro does not check access rights |
| 5 | Item14936 | Engine | eliminate use of 2-args open() |
| 6 | Item14918 | JQueryPlugin | backport fix of CVE-2015-9251 and CVE-2019-11358 |
| 7 | Item14903 | Engine | change password accepts "1" as an old password |
Bug Fixes
| # | Task | Priority | Component | Summary |
|---|---|---|---|---|
| 1 | Item15071 | Normal | Engine | add some more useful entries to mime.types |
| 2 | Item15070 | Normal | WysiwygPlugin | use of uninitialized variable when there is no text |
| 3 | Item15069 | Normal | Engine | improvements to radio, checkbox and label |
| 4 | Item15067 | Normal | JQueryPlugin | jquery-ui's dialogs maniplulate the z-index of the widget on every mouseclick |
| 5 | Item15066 | Normal | JQueryPlugin | rating formfield is not mergeable |
| 6 | Item15058 | Normal | JQueryPlugin | script tags for javascrit i18n should not use src attribute |
| 7 | Item15057 | Normal | PageCache | Add support for MariaDB |
| 8 | Item15047 | Urgent | Engine | Deep recursion if UserInterfaceInternationalisation is enabled yet no languages are enabled |
| 9 | Item15045 | Urgent | RCSStoreContrib | getRevisionInfo of an attachment always returns the revision info of the first attachment on the topic |
| 10 | Item15041 | Urgent | Engine | global FOSWIKI_BROADCAST not initialized correctly |
| 11 | Item15038 | Normal | NatEditPlugin | select2 formfields were not validated |
| 12 | Item15032 | Normal | TinyMCEPlugin | tinymce cannot attach a file when strike one is disabled |
| 13 | Item15031 | Normal | NatEditPlugin | be less restrictive checking compatible acl settings in editor |
| 14 | Item15030 | Normal | Engine | encoding error including attachments |
| 15 | Item15029 | Normal | Engine | Meta::getPreferences() sometimes fails when called too early |
| 16 | Item15028 | Urgent | Engine | store password during registration |
| 17 | Item15027 | Normal | JQueryPlugin | add jquery-3.6.0 |
| 18 | Item15026 | Normal | Engine | modernize default link protocol pattern |
| 19 | Item15025 | Urgent | Engine | FORMFIELD and QUERY don't read the correct topic object |
| 20 | Item15023 | Urgent | FORMFIELD | Eliminate local cache in FORMFIELD macro |
| 21 | Item15022 | Urgent | Engine | Change notifications not send out under certain conditions |
| 22 | Item15014 | Urgent | ConfigurePlugin | prevent password fields from being autofilled in configure |
| 23 | Item15010 | Urgent | RCSStoreContrib | configure fails to accept newer rcs versions |
| 24 | Item15008 | Normal | NatEditPlugin | bring back support for "dontnotify" in natedit |
| 25 | Item15007 | Normal | Engine | extender.pl too loud on STDERR |
| 26 | Item15006 | Urgent | Engine | missing cpan dependencies for core engine |
| 27 | Item15004 | Normal | Engine | use relative urls wherever possible |
| 28 | Item15000 | Normal | JQueryPlugin | fix button's behavior in disabled state |
| 29 | Item14996 | Urgent | Engine | wrong url host if foswiki called via localhost |
| 30 | Item14992 | Urgent | HistoryPlugin | always display date and time of revisions |
| 31 | Item14990 | Normal | Engine | remove explicit undef from return statement |
| 32 | Item14991 | Normal | TopicUserMappingContrib | improve performance of isGroup() call |
| 33 | Item14970 | Urgent | Engine | INCLUDEing an url does not decode the retrieved content according to its charset |
| 34 | Item14946 | Normal | UnitTestContrib, RCSStoreContrib | RCS storage tests fail with a one-off second difference sometimes |
| 35 | Item14945 | Normal | Engine | improve performance of template loader |
| 36 | Item14944 | Urgent | Engine | cannot use zero in alttext of FORMFIELD |
| 37 | Item14943 | Normal | Engine | document publicOnly parameter in %INCLUDE and make it a true boolean |
| 38 | Item14942 | Normal | Engine | make sure isValueMapped is defined for any formfield |
| 39 | Item14941 | Normal | CommentPlugin | only load comment.js and comment.css on pages where it is required |
| 40 | Item14937 | Normal | Engine | error parsing dotted triplets ip addresses |
| 41 | Item14938 | Normal | Engine | don't return compressed content when calling foswiki on the command line |
| 42 | Item14935 | Normal | Engine | leave absolute_urls context when an exception occured during registration |
| 43 | Item14934 | Normal | Engine | language file compression isn't experimental anymore |
| 44 | Item14933 | Normal | TwistyPlugin | remove dependency on jquery.livequery module |
| 45 | Item14931 | Normal | Engine | Error moving file with [space]WikiWord[space] name. |
| 46 | Item14929 | Normal | EditRowPlugin | Single '0' (zero) not displayed in any table if plugin is activated for that topic |
| 47 | Item14910 | Normal | UnitTestContrib, core | Remove Taint::Runtime |
| 48 | Item14908 | Urgent | Engine | cannot use zero as a formfield default |
| 49 | Item14906 | Urgent | Engine | OP_ref has to read data relative to the topic being queried |
| 50 | Item14902 | Low | Documentation | Add new Ubuntu 20.04 required perl module to requirements |
| 51 | Item14890 | Normal | PatternSkin | breadcrumbs won't line-break on mobile devices |
| 52 | Item14884 | Urgent | Engine | performance problem listing webs (hotfix available) |
| 53 | Item14874 | Normal | JQueryPlugin, BuildContrib | deprecate uglify-js and yuicompressor in favor of terser and csso |
| 54 | Item14873 | Normal | UpdatesPlugin | rewrite and simplify UpdatesPlugin |
| 55 | Item14839 | Urgent | JQueryPlugin | fix default value in textboxlist formfields |
| 56 | Item14840 | Urgent | JQueryPlugin | fix tooltip position in draggable elements |
| 57 | Item14819 | Urgent | TinyMCEPlugin | lost content on specific editor interactions |
| 58 | Item14809 | Low | Documentation | System/InstallGuide Step 2: Ownership table lists wrong FreeBSD group |
| 59 | Item14773 | Low | ConfigurePlugin | configure documentation refers to FastReport. Should be JsonReport |
| 60 | Item14766 | Urgent | JQueryPlugin | deprecate all 1.x jquery, deprecate all 2.x except the latest |
| 61 | Item14762 | Normal | JQueryPlugin | jquery.loader does not clear timeout properly for automated reloading |
| 62 | Item14741 | Normal | SpreadSheetPlugin | EVAL(0) should return 0 not the empty string |
| 63 | Item14739 | Urgent | Engine | regression: cannot control logged actions anymore |
| 64 | Item14732 | Urgent | Engine | statistics script blocks all of foswiki |
| 65 | Item14731 | Normal | WysiwygPlugin | illegal json returned by attachments rest handler |
| 66 | Item14730 | Normal | Engine | can't use path with a 0 (zero) in it |
| 67 | Item14729 | Normal | Engine | fix regular expression for headings trying to support ExplicitNumberingPlugin |
| 68 | Item14725 | Normal | JQueryPlugin | wrong initial color of jquery.farbtastic dialog |
| 69 | Item14722 | Normal | JQueryPlugin | add jquery.browser as a separate module being removed from newer jQuery |
| 70 | Item14721 | Normal | JQueryPlugin | fix loading of language files for jquery.i18n |
| 71 | Item14689 | Urgent | FoswikiNet | Email::Address is deprecated, Email::Address::XS is the preferred module. |
| 72 | Item14688 | Low | InterwikiPlugin | Typos in InterwikiPlugin documentation. |
| 73 | Item14687 | Low | Documentation, FoswikiPrefs | SET macro documentation related to INCLUDE and topic scope is incorrect. |
| 74 | Item14685 | Urgent | NatEditPlugin | permissions read from the wrong topic |
| 75 | Item14662 | Normal | CommentPlugin | comment type "return" not functional |
| 76 | Item14660 | Normal | JQueryPlugin, NatEditPlugin | missing tab id causes a javascript error |
| 77 | Item14564 | Urgent | JQueryPlugin | add jquery-3 and an appropriate migrate module |
| 78 | Item13134 | Urgent | UnitTestContrib | HTML::Tidy fails to validate html5 |
Enhancements
| # | Task | Component | Summary |
|---|---|---|---|
| 1 | Item15068 | JQueryPlugin | don't bubble up jquery.loader events |
| 2 | Item15065 | JsonRpcContrib | add jsonRpc api to foswiki namespace in javascript |
| 3 | Item15060 | JQueryPlugin | add validation rule for foswikiMandatory css class |
| 4 | Item15059 | JQueryPlugin | JQICONs create a stray html attribute |
| 5 | Item15043 | FastCGIEngineContrib | unable to configure zero max requests |
| 6 | Item15044 | FastCGIEngineContrib | improve free bsd startup scripts |
| 7 | Item15040 | PatternSkin | add include cover |
| 8 | Item15021 | SlideShowPlugin | multiple enhancements to SlideshowPlugin |
| 9 | Item15019 | PatternSkin | give logos a proper dimension |
| 10 | Item15018 | JQueryPlugin | rework some old css code in jQuery |
| 11 | Item15005 | FastCGIEngineContrib | too many log messages in fastcgi procmanager |
| 12 | Item15003 | FastCGIEngineContrib | improve freebsd init script for foswiki service |
| 13 | Item15002 | JQueryPlugin | improve placement of content in jquery.loader |
| 14 | Item14994 | JSCalendarContrib | don't generate inline @import-ed css |
| 15 | Item14963 | FastCGIEngineContrib | add warmup parameter |
| 16 | Item14901 | ConfigurePlugin | Add support for XML and CERT data types in configure pages |
| 17 | Item14897 | NatEditPlugin | rationalize edit template structure for better customization |
| 18 | Item14875 | JQueryPlugin | various maintenance fixes |
| 19 | Item14837 | JQueryPlugin | update animate.css to latest upstream version |
| 20 | Item14838 | JQueryPlugin | add "remember" feature to tabs |
| 21 | Item14767 | JQueryPlugin | implement a proper icon service |
| 22 | Item14735 | JQueryPlugin | use animate.css for jquery.loader effects instead of jQuery's own ones |
| 23 | Item14728 | JQueryPlugin | forward "open" event of ui-dialogs to jqUIDialogLink element |
| 24 | Item14724 | JQueryPlugin | enhance Makefile system to support sass and babel |
| 25 | Item14727 | JQueryPlugin | improve locale support of datepicker |
| 26 | Item14726 | JQueryPlugin | better support for +values in textboxlist |
| 27 | Item14723 | JQueryPlugin | upgrade jquery.sprintf |
| 28 | Item14720 | JQueryPlugin | upgrade animate.css to latest release |
| 29 | Item14571 | JQueryPlugin | add manual sorting mode to textboxlist |
| 30 | Item14572 | JQueryPlugin | upgrade jquery.livequery |
| 31 | Item14569 | JQueryPlugin | deprecate jquery.placeholder |
| 32 | Item14568 | JQueryPlugin | add chili recipes for autolisp and ini |
| 33 | Item14567 | JQueryPlugin | add keyboard navigation to jquery.stars |
| 34 | Item14454 | JQueryPlugin | Bundle JsViews as an option with JsRender |
Installation
Please refer to the INSTALL.html which can be found the downloaded tgz/zip. It can be also found on Foswiki.org in the System.InstallationGuideUpgrade Instructions
In-place upgrade from any release prior to Foswiki 1.1.0 is not recommended. Older Foswiki installations should install Foswiki as a new release, configure, and then migrate data to the new installation.
- See System.UpgradeGuide for details on upgrading from older versions of Foswiki
- See System.SystemRequirements for the latest System Requirements.
- Be sure to take a backup!
- The upgrade packages excludes files "commonly" modified, for example, WebHome, WebPreferences, AdminGroup, etc. If your installation has modified other topics, or template files, those updates will be lost!
- If you use
tar, then you can extract the upgrade package on top of your installation by using: (Be sure to run this as your web server user to avoid changing file ownership.)
cd /var/www/foswiki tar --strip-components=1 -zxf /path/to/Foswiki-upgrade-2.x.x.tgz cd tools ./configure --save
- Similarly, if you are using the
zipupgrade package, then
cd /var/www/foswiki unzip -o /path/to/Foswiki-upgrade-2.x.x.zip cd tools ./configure --save
- After upgrade, restart the web server, clear the foswiki page cache, clear your browser cache.
- If things are not fully working, verify file system permissions and ownership. See System.InstallationGuide#Step_2:_Confirm_file_and_directory_ownership_and_permissions
License
- This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
- This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
- See the GNU General Public License for more details, published at http://www.gnu.org/copyleft/gpl.html
Release Details
- Build date 2022-03-28
- Publish date 2022-03-28
- Built from github commit 6d2258532b
Edit | Attach | Print version | History: r5 < r4 < r3 < r2 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r5 - 04 Apr 2022, MichaelDaum
- This page was cached on 28 Nov 2024 - 04:48.
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. 
Legal Imprint Privacy Policy
Legal Imprint Privacy Policy