Updates for all versions of ExpressionEngine have been released today in order to incorporate several security improvements and critical bug fixes. No sites are known to have been affected by the security issues, all of which are obscure. However, it is a possibility, and therefore this update is recommended for all users.
2.1.3 and 2.1.4 Beta are both build releases that incorporate a Codeigniter security release that improves XSS filtering and sanitization of variables passed in the URL. There are also two ExpressionEngine specific security changes in the new builds: a tightening of the encryption used with the contact form and improved handling of code tags in submitted data.
All Critical-Major bugs existing at the time of the release were also fixed. The full list of 2.1.4 Beta changes can be viewed in the Change Log. Developers should note that the security library should no longer be explicitly loaded. Version 2.1.3 incorporates all of those changes plus the critical bug fixes that had already been added to the Beta:
- Fixed a bug (#14821) where the category tree would not properly sort by a custom order.
- Fixed a bug (#14708) where the control panel login did not redirect with a session ids, breaking access in some cases.
- Fixed a bug (#14417) in the Metaweblog API where categories were not properly entered when creating a new entry.
Version 1.7.1 is a version update that includes the XSS filtering changes and the changes to code tag handling as well as a number of bug fixes. See the change log for a full list of changes.
More info: http://expressionengine.com