Focus: minor bug fixes, maintenance, security
The security vulnerability is critical. We advise to update quickly.
Bugs fixes
- Typo in changelog.
- Field userkgusergroupsUserGroupId in table user_kg_usergroups should not accept NULL on first install.
- Fix [#304] (missing input when clicking on Quarantine in Admin menu).
- Syntax error in TinyMCE spellChecker code.
- Syntax errors in API doc.
- Remove some leftover print_r() statements.
- Fix a missing icon when deleting a resource.
- Correct totals when paging through the front page list.
- Fix a missing input error in bibliographic/citation styles (bugs [#249] & [#305]).
- Fix a crash on upgrade of step 34 for version 6.4.0. MariaDB and/or MySQL engines don’t support to fill, drop, and create a table in a single transaction.
- Vendor components cannot be enabled/disabled.
- Ensure that user database rows are universally deleted when deleting a user.
- Ensure that logged-in users can attach resources to user tags.
- Ensure that logged-in users can only edit a resource's categories, keywords, and languages if they own the resource or allowed to by the superadmin.
- Add a default value to the users.usersFullname field [#316].
Maintenance
- The curl_close() function no longer has an effect (PHP 8.0 support) [#265].
- Update future TinyMCE (5.6.2).
- Add browserTabID functionality to the home page.
- Update Smarty (v3.1.38).
- Update style xml files for locales [#308].
- Bump component compatibility version of styles to 5.
- Fix some typos [#310].
- Simplify MySQL/MariaDB version query.
- Full Ukranian translation (thanks to Yuri Chornoivan).
- Set utf8mb4_unicode_520_ci as the default collation of the database.
- Improve browserTabID functionality for single resource views.
- Credits of translators.
Security
- A cross-site scripting (XSS) vulnerability in many forms of version 6.4.0 allows remote attackers to inject arbitrary web script or HTML via the 'message’ parameter (CVE-2021-3340, thanks to jppuetz).