New features in 2.9.0.beta4
Rebuild required. The rebuild will update package versions to latest, and must be completed if the site has not be been rebuilt from the command line in the past day.
Security Updates
This beta includes 5 security fixes for issues reported by our community and HackerOne.
- Update Nokogiri to 1.13.4.
- Category group permissions leaked to normal users.
- Avoid leaking private group name when viewing category.
- Hide private categories in user activity export
- Ensure user-agent-based responses are cached separately
Note that discourse_docker, the Docker image upon which Discourse run, also has a security update. The manual rebuild mentioned above is required to pull in this fix. This will result in downtime.
Add Sitemap Support
Discourse now support sitemaps without the need for a plugin. This includes the same features of the Discourse Sitemap plugin, which can be safely uninstalled after updating.
Discourse Connect Provider 2FA Support
If you use Discourse as your identity provider for external sites, you can now require that users be prompted to confirm their 2FA. See GitHub for full details.