Key Changes

This is a maintenance release to fix reported issues and add refinement to existing features. In addition to bug fixes and performance improvements, it includes following new/changed features:

• Instant notifications are now dismissible.
• The sidebar has been added back to the stream pages.
• You can now sort by most downloaded in Downloads app.
• The ModeratorCP and AdminCP IP Address Tools now allow you to track the IP addresses used to vote in polls.
• A new setting has been added to disable the RSS feed for activity streams.
• A new setting has been added to specify the minimum display name length.
• Adds a new “can unban” moderator permission separate to the “can edit profiles” permission being used previously.
• IP addresses now show in reports.
• There is now a constant-level setting to disable the ACP IP address check in case of being locked out of the ACP.
• Several improvements to Commerce to make some features clearer: the Shipping Rates configuration pages now indicate to the admin if a potential mistake has been made, the front-end indicates to admins if no support departments have been set up, and the renewal settings wording has been clarified.

Additional Information

Security Fixes

This release includes fixes for several security issues:

1. A CSRF vulnerability on moderation tools, meaning a malicious user could exploit a moderator’s session to perform moderator actions.
2. Several XSS vulnerabilities meaning if a malicious user could convince another user to perform particular steps, limited arbitrary JavaScript could be executed.
3. A vulnerability that could cause attachments to be downloaded automatically without the user requiring to click on them.
4. A vulnerability that could allow malicious users to modify other users stream settings.

Other Important Fixes

In addition to over 100 smaller bug fixes and performance improvements, the following important fixes are included:

• Errors in Commerce when using a locale that uses a comma as the decimal point.
• If friendly URL rewriting is not enabled, links shared on Facebook do not work.
• Several issues with Anti-Fraud rules in Commerce, especially in conjunction with PayPal.
• The “Upcoming Events” widget in Calendar may not show all events.
• Pagination in some areas may be incorrect.
• Several issues with BBCode, especially IMG tags inside of URL tags and lists.
• Several issues with the new activity stream including an issue where container filters may not work and some situations may cause the page to overflow because the filter bar is too wide.
• Emoticons may appear squished in the Chat application.
• The support request auto resolve feature in Commerce may send emails at the wrong time.
• Using MariaDB may cause some tables to be converted to MyISAM from InnoDB.
• Some filters in the mass-move/prune feature in the AdminCP weren’t working correctly.
• Trying to set up the 2CheckOut gateway in Commerce may not work.
• Several MaxMind issues, including transactions made by guests would show an error.
• Items set to be excluded from the sitemap may still be included.

Information for 3rd party developers

• ProfileSync classes are no longer required to have a photo() method
• jQuery has been updated to 1.12.2
• CodeMirror has been updated to 5.13
• Login Handlers must now implement a canProcess() method to verify that the login handler can be used in the event a member disassociates their account from a different service.