3.1.4: Security and bug fix release

Discourse 3.1.4 Stable Release

Discourse strongly recommends that all sites follow the default tests-passed branch of Discourse. The “stable” branch is more focused on lack of change than lack of bugs - all releases, including those on tests-passed and beta are production ready.

Bug Fixes

  • Validate each value in an array custom field separately (24659)
  • Allow setting an array custom field to a singleton value (24636)
  • Preserve custom field array order (24491)

Security Changes

  • Prevent guest users from accessing secure uploads when login required CVE-2023-49099
  • Store custom field values according to their registered type CVE-2024-21655
  • Run custom field validations with save_custom_fields CVE-2024-21655
  • Ensures mentioned_users is limited CVE-2023-48297