news
 News  geekwright  29-Apr-2019 23:20  9  13790 reads
XOOPS 2.5.10 Released
The XOOPS Development Team is pleased to announce the release of XOOPS 2.5.10 Final.

This version includes numerous improvements and fixes, including:
- PHP 7.3 compatibility
- MySQL 8.0 compatibility
- XMF improvements for module writers
- Security updates
- Updated libraries
- and many more fixes and updates

See the change log for more details.

You can download from GitHub.

The guide for installations and updates is available on GitBook

It is recommended to upgrade all XOOPS systems to version 2.5.10.

Thanks for all your patience and support!
Rating 5.00/5
Rating: 5.0/5 (1 vote)
Votes are disable!
Print article
  • Moderator

 Re: XOOPS 2.5.10 Final Released

Thank you Richard for all your hard work and leadership on this release!
And thanks to all who contributed!
After all, XOOPS is powered by you!!!

 
  • Quite a regular

 Re: XOOPS 2.5.10 Final Released

Great work. Thanks to all

 
  • Friend of XOOPS

 Re: XOOPS 2.5.10 Final Released

Thanks , installing now :)

 
  • Just popping in

 Re: XOOPS 2.5.10 Final Released

Hello~
The file
XoopsCore25-2.5.10\htdocs\class\model\write.php
line 273

public function insert(&$object$force true)

should be compatible with XoopsPersistableObjectHandler::insert(XoopsObject $object, $force = true)

 
  • Friend of XOOPS

 Re: XOOPS 2.5.10 Final Released

Used jQuery has a security problem:

Updated in 2.5.10 : - jQuery 3.3.1 (mamba)

But: jQuery Update 3.4.0 vulnerability
Reported by: MikeNGarrett Owned by: azaozz
jQuery's latest release contains a fix for jQuery.extend which allows for unintended behavior which could lead to cross site scripting attacks.

From jQuery's 3.4.0 release notes:
jQuery 3.4.0 includes a fix for some unintended behavior when using jQuery.extend(true, {}, ...). If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. This fix is included in jQuery 3.4.0, but patch diffs exist to patch previous jQuery versions.

This vulnerability affects all previous version of jQuery. As they mention in the release notes, "patch diffs exist to match previous jQuery versions."

jQuery 3.4.1. i sout , why outdates files in a new Xoops ?

 
  • Friend of XOOPS

 Re: XOOPS 2.5.10 Final Released

When i click on the Homepage on 'Download Xoops' i get the link for 2.5.9 from 2017... Who can fix that?

 
  • Quite a regular

 Re: XOOPS 2.5.10 Final Released

jQuery 3.4.0 was released well into the XOOPS 2.5.10 release cycle. While some sources made alarming claims about the possible exploitation of the prototype pollution, jQuery itself described the change as "Minor vulnerability fix: Object.prototype pollution."

Truth is, it is a low risk exposure that has existed for a long time, and XOOPS usage of jQuery does not match the usage patterns that would be most exploitable.

But, on the other hand, there is a very significant risk in Introducing a change of that magnitude late in a release cycle. In fact, the rushed release of jQuery 3.4.0 introduced additional issues, that jQuery described 3.4.1 as "... we’ve had a few issues reported that warranted a patch release." Also note, jQuery 3.4.1 could not included in XOOPS because it was not yet released.

XOOPS 2.5.10 includes some changes which some modules in development depend on, and the delay of restarting the release cycle (which would still be going on) would have been painful and detracted from other efforts. There is always a risk/reward balance to be maintained at the product release decision.

At this point XOOPS 2.5.10 is more secure than any previous version. The planned 2.5.11 maintenance release, due in September will include an updated jQuery.

 
  • Friend of XOOPS

 Re: XOOPS 2.5.10 Final Released

Thanks for the (long) explanation, so we can use Xoops without problem, however i saw a post on internet about a sql injection vurnability in 2.5.9. I have send Mamba e message and a mail but didnt get any feedback so i will send you a mail, i want to know your opinion, check you PM

 
  • Just popping in

 Re: XOOPS 2.5.10 Final Released

Installed on server with php 5.4.16 and MySql 5.6.46 .... cool admin graph , but I noted I cannot change modules name ... when I try, name ( in menu too ) stay blank. I have also some probs in ExtGallery installation ... where I can ask some suggestion ? TY for your work , anyway

Updated ... texts disappear also when editing account ... ; I installed before the 2.5.8 version and this has not such problems ... But I cannot add ExtGallery 1.14 there ... tried with ExtGallery 1.11 but I have an error like this :

Error ErrorCall to undefined method ExtgalleryGroupPermForm::XoopsGroupPermForm()