2.8.10: Security Release

jomaxro · November 1, 2022, 5:34pm

Discourse 2.8.10 Stable Release

Discourse strongly recommends that all sites follow the default tests-passed branch of Discourse. The “stable” branch is more focused on lack of change than lack of bugs - all releases, including those on tests-passed and beta are production ready.

Changes

Security:

Restrict display of topic titles associated with user badges CVE-2022-39378
Expand and improve SSRF Protections CVE-2022-39241
Fix invite link email validation CVE-2022-39356

Plugin Security Updates

Multiple plugins have also received security fixes. Be sure to update plugins in addition to Discourse.

Patreon: Critical security fix for the discourse-patreon plugin
Chat: Channel name and description susceptible to XSS CVE-2022-39279
Chat Integration: Insufficient Server Side Request Forgery protections CVE-2022-39241
OAuth2 Basic: Insufficient Server Side Request Forgery protections CVE-2022-39241
OpenID Connect: Insufficient Server Side Request Forgery protections CVE-2022-39241

Topic	Replies	Views
2.8.12: Security Release announcements release-notes	783	November 28, 2022
2.7.10: Security Release announcements release-notes	858	November 15, 2021
2.8.8: Security Release announcements release-notes	836	August 10, 2022
2.8.11: Security Release announcements release-notes	919	November 14, 2022
2.8.9: Security Release announcements release-notes	1064	September 29, 2022

2.8.10: Security Release

Discourse 2.8.10 Stable Release

Changes

Security:

Plugin Security Updates

Related Topics