Vanilla 2.1.1 - important security & bug release
Announcing the availability of 2.1.1, a security & bug fix release for 2.1.
It is imperative all 2.1 forums upgrade immediately.
- HtmLawed was upgraded to close an XSS vector (thanks to Psych0tr1a for responsibly disclosing this to us & to HtmLawed for a fast patch in response).
- Multiple XSS exploits were fixed (thanks to @x00 for responsibly disclosing and both he and @businessdad for assistance in making our patches as bulletproof as possible).
- Fixed a Twitter SSL bug (thanks @Adrian for the patch).
- Fixed a missing permission check in the sorting utility (thanks @R_J for the patch).
- cleditor was patched to fix a crippling IE11 bug.
- Profile Extender was upgraded and a security flaw in it was fixed.
- Fixed a bug in Announcing while starting a discussion.
- Corrected the default theme README.
- Backported GDN_UserAuthenticationProvider.IsDefault so the latest version of jsConnect will work with 2.1.1.
- Fixes a theme screenshot bug (thanks @hgtonight for the patch).
As you can see, some extremely critical fixes are included. The only feature addition is those added to the Profile Extender addon as a result of getting backported from 2.2 (master) branch.
Diff of 2.1.1 against 2.1 gold. (32 files changed, so I don't recommend a selective upgrade on this one.)
220.127.116.11 has the same XSS issues and its patch will be released this weekend is available here as 18.104.22.168.