2.7.8: Security Release

Discourse 2.7.8 Stable Release

Discourse strongly recommends that all sites follow the default tests-passed branch of Discourse. The “stable” branch is more focused on lack of change than lack of bugs - all releases, including those on tests-passed and beta are production ready.

Changes

Security:

  • Sanitize d-popover attributes (CVE-2021-37633)
  • Destroy EmailToken when EmailChangeRequest is destroyed (CVE-2021-37693)
  • User’s read state for topic is leaked to unauthorized clients (CVE-2021-37703)
  • Escape cat name (CVE-2021-39161)
9 Likes