Release notes for Magnolia CMS 6.2.13

LTS release • Delivered on November 15, 2021 • Changelog: 20499

Magnolia CMS 6.2.13 is a bug-fixing and security release that also delivers a number of updates and improvements.

magnolia-dx-core-webapp-6.2.13.war
magnolia-dx-core-demo-webapp-6.2.13.war
magnolia-community-demo-webapp-6.2.13.war
mtk_2.0.zip (as a light module)

Connector Pack and Special Feature updates

Commerce Connector Pack 1.3.1 released on October 6, 2021.
DAM Connector Pack 1.0.8 released on October 27, 2021 and 1.1.0 released on November 15, 2021.

See the Connector Pack and Special Feature changelog for details on these releases.

Improvements

Format icons and MIME types appear for uploaded assets

In the Assets app, you can now see the appropriate format icons when you upload the following asset types: PDF, Word, Excel, PowerPoint, video and audio.

Asset format icon

In the asset browser, there is also a new Type column that specifies the MIME type of each uploaded asset.

Asset type column

MGNLDAM-833

Assets app added to App launcher via decoration

The Assets app has been removed from the JCR App launcher configuration and added via decoration instead. In case of a custom App launcher configuration, you might need to update the resource file or provide your own decoration to move it from the default location. For example:

appLauncherLayout:
  groups:
    edit: #Remove from the default location
      apps:
        dam:
          enabled: false
    manage: #You can still use the old JCR configuration here instead
      apps:
        dam:
          enabled: true

MGNLDAM-992

Notable bug fixes

The number of cookies (HTTP headers) generated for stateless login CSRF protection has been reduced. The CSRF cookie path no longer includes the request’s path (MAGNOLIA-8209).
The Notifications app does not crash anymore when opening notification details from the Configuration app (MGNLUI-6613).
Images embedded in rich text fields are now displayed correctly on the public instance after publishing (MGNLUI-6624).
Thumbnail links are no longer generated with two dots before the file extension (MGNLUI-6798).
Validation errors now also appear for the inner fields of a multi field (MGNLUI-6842).
Actions in the context menu are now always in sync with those in the action bar (MGNLUI-6853).
Custom actions for Magnolia 5 UI dialogs can now be used in Magnolia 6 UI apps (MGNLUI-6878).
In the Travel Demo, component variants are rendered correctly again when switching to German on the home page (MGNLDEMO-386).
In the Assets app, publishing child nodes is now only possible if the parent node is already published. Additionally, unpublishing is no longer available for nodes that are not published (MGNLDAM-948).
In the Workflow module, recursive publishing runs asynchronously again by default (MGNLWORKFLOW-403).

Third-party library updates

This release comes with the following third-party library updates to fix some security and compatibility issues:

AWS SDK and Netty updated to 2.17.71 and 4.1.68.Final respectively (BUILD-568).
GeoIP2 updated to 2.15.0 (BUILD-551).
Imageio updated to 3.4.3 (BUILD-555).
Log4j updated to 2.13.3 (BUILD-559).
Rome Tools updated to 1.12.2 (BUILD-560).
Swagger Core updated to 2.1.11 (BUILD-564).
Tomcat updated to 9.0.54 (MGNLTOMCAT-20).
Vaadin updated to 8.14.1 (BUILD-556).

We keep the details of security fixes private in line with our security policy. Contact our Support team if you need more information.

Security advisory

We now validate login CSRF tokens with HMAC. The new HmacCsrfToken strategy generates an HMAC CSRF token that expires after a configurable interval. The previous RandomCsrfToken strategy is now deprecated.

Logging into Magnolia after leaving the login page idle for 10-20 minutes returns a 403 Forbidden error due to an expired CSRF token. To resolve this issue, reload the login page.

MAGNOLIA-7899 (restricted access)

Others

Known issues

If you are upgrading from an earlier version, read the Upgrading to Magnolia page first and check the Known issues page.

Documentation screenshot updates

Some of the screenshots in the documentation still show the legacy Magnolia 5 UI. Please bear with us as we work to update them.

Updated modules

Barebones Tomcat Bundle 1.2.6
Blossom 3.4.7
Community Edition 6.2.13
Content Dependencies 2.0.3
Content Editor 1.3.10, 2.0.3
DAM 3.0.11
Demo Projects 1.6.4
DX Core 6.2.13
External DAM 1.0.8
GraphQL 1.0.2
Image Recognition 1.2.5
Imaging 3.5.1
Language Bundles 1.1.7
Magnolia 6.2.13
Mail 5.5.9
Pages 6.2.12
Personalization 2.0.12
Publishing 1.3.2
Resources 3.0.6
Site 1.4.3
Text Classification 1.1.4
Third-party library BOM 6.2.13
UI 6.2.13
Vaadin Compatibility Addons 1.3.10
Workflow 6.0.5

Acknowledgements

The Magnolia team would also like to thank everyone who reported issues, contributed patches or simply commented on issues for this release. Your continued interest helps us make Magnolia better. Special thanks go to Jordie Diepeveen, Philipp Güttler, Matthias Müller, Pierre Sandrin and Simon Tourville.

Feedback

DX Core