Release Notes for XWiki 14.4.3

Last modified by Ilie Andriuta on 2022/08/04

This is the release notes for XWiki Commons, XWiki Rendering and XWiki Platform. They share the same release notes as they are released together and have the same version.

This is a bug fix version, fixing important issues (including several security vulnerablities) discovered since XWiki 14.4.2 has been released.

New and Noteworthy (since XWiki 14.4.2)

Full list of issues fixed and Dashboard for 14.4.3.

Upgrades

The following runtime dependencies have been upgraded (they have a different release cycle than XWiki Commons, XWiki Rendering and XWiki Platform):

Translations

The following translations have been updated: 

Tested Browsers & Databases

Here is the list of browsers we support and how they have been tested for this release:

 BrowserTested on:
Firefox30.pngMozilla Firefox 103Tests run and results
Chrome30.pngGoogle Chrome 103Jira Tickets Marked as Fixed in the Release Notes
Edge30.pngMicrosoft Edge 103Not Tested
Safari30.pngSafari 15Not Tested

Here is the list of databases we support and how they have been tested for this release:

 DatabaseTested on:
hypersql.pngHyperSQL 2.6.1Not Tested
postgresql.pngPostgreSQL 14Not Tested
mariadb.pngMariaDB 10.6Tests run and results 
mysql.pngMySQL 8Jira Tickets Marked as Fixed in the Release Notes
oracle.pngOracle 19cNot Tested

Here is the list of Servlet Containers we support and how they have been tested for this release:

 Servlet ContainerTested on:
tomcat-icon.pngTomcat 9.0.65
jetty-icon.pngJetty 10.0.7 (XWiki Standalone packaging)Not Tested
jetty-icon.pngJetty 10.0.7Not Tested

Known issues

Backward Compatibility and Migration Notes

General Notes

  • When upgrading make sure you compare and merge the following XWiki configuration files since some parameters may have been modified, removed or added:
    • xwiki.cfg
    • xwiki.properties
    • web.xml
    • hibernate.cfg.xml
  • Add xwiki.store.migration=1 in xwiki.cfg so that XWiki will attempt to automatically migrate your current database to any new schema. Make sure you backup your Database before doing anything.

Issues specific to XWiki 14.4.3

Migration sending emails

A migration is provided as part of this upgrade that might trigger a reset password of some users. As part of this operation, some emails are automatically being sent by default: a first mail informing about a possible data leak, and a second mail for asking users to reset their password.

It's possible to chose whether the mails should be sent or not by editing the following properties:

#-# [Since 14.6RC1]
#-# [Since 14.4.3]
#-# [Since 13.10.8]
#-# This option is only used when performing a migration from a wiki before the versions mentioned above.
#-#
#-# This parameter defines if as part of the migration R140600000XWIKI19869 the passwords of impacted user should be
#-# reset or not. It's advised to keep this value as true, now for some usecases advertised administrators might want
#-# their users to keep their passwords nevertheless, then enable the configuration and set it to false before the
#-# migration is executed.
# security.migration.R140600000XWIKI19869.resetPassword = true

#-# [Since 14.6RC1]
#-# [Since 14.4.3]
#-# [Since 13.10.8]
#-# This option is only used when performing a migration from a wiki before the versions mentioned above.
#-#
#-# This parameter defines if reset password emails should be sent as part of the migration R140600000XWIKI19869.
#-# By default this value is set to true, so emails will be automatically produced. Now it's possible for admin to set
#-# this option to false: note that in such case a file containing the list of users for whom a reset password email
#-# should be sent will still be created in the permanent directory (named 140600000XWIKI19869DataMigration-users.txt).
#-# If this file exists and this property is set back to true after the migration, the file will still be consumed to
#-# send the emails, so it's possible to perform the migration and send the emails only later if needed.
# security.migration.R140600000XWIKI19869.sendResetPasswordEmail = true

#-# [Since 14.6RC1]
#-# [Since 14.4.3]
#-# [Since 13.10.8]
#-# This option is only used when performing a migration from a wiki before the versions mentioned above.
#-#
#-# This parameter defines if a security email information should be sent as part of the migration R140600000XWIKI19869.
#-# By default this value is set to true, so emails will be automatically produced. Now it's possible for admin to set
#-# this option to false: note that in such case a file containing the list of users for whom a reset password email
#-# should be sent will still be created in the permanent directory (named 140600000XWIKI19869DataMigration-users.txt).
#-# If this file exists and this property is set back to true after the migration, the file will still be consumed to
#-# send the emails, so it's possible to perform the migration and send the emails only later if needed.
# security.migration.R140600000XWIKI19869.sendSecurityEmail = true

Note that the mails are sent after the migration is actually performed, during the wiki intialization by reading a file named 140600000XWIKI19869DataMigration-users.txt created in the permanent directory during the migration. So it's possible for an administrator to set the properties for sending the emails to false for performing the migration, and to actually set them back to true before a next restart to send the emails at this moment. Be aware that the file is deleted as soon as the emails are processed to be sent: in case of failure for sending the emails, please check the administration of the wiki to see the status of the created emails.

It's also possible for administrators to configure the template of the first mail by creating a file named 140600000XWIKI19869-mail.txt in the permanent directory. The format of this template is the following:

Subject:<the subject of the email>
<the plain text content of the email>

By default, the mail template is the following:

Subject: Important security issue
Dear user,

due to a bug your password was stored in plain text in our wiki. We cannot exclude that your plain text password was exposed in a data leak. Therefore, you might receive a second email to choose a new password. 
Please contact the administrator in case of problem or for further questions.

Renaming of actions related to authentication

Two possible authentication resource URL can be used to respectively ask for a password reset, and ask for retrieving a username from an email address. The associated resource actions used to be /authenticate/reset and /authenticate/forgot. Since those were not very explicit we renamed them as part of fixing a bug, and they are now respectively named /authenticate/resetpassword and /authenticate/retrieveusername. So be careful to update your URLs if you use those in some places.

API Breakages

The following APIs were modified since XWiki 14.4.3:

No breakage!

Credits

The following people have contributed code and translations to this release (sorted alphabetically):

  • ClĂ©ment Aubin
  • Manuel Leduc
  • Marius Dumitru Florea
  • Michael Hamann
  • Oana-Lavinia Florean
  • Pascal BASTIEN
  • Simon Urli
  • Thomas Mortagne
  • Vincent Massol
  • slauriere
Tags:
   

Get Connected