Pydio Core / Pydio Enterprise 8.2.4 - Security Release

This release provides bugfixes and security fixes for Pydio 8 and Pydio Enterprise 8, upgrade is highly recommended. CVE are being submitted.

Migrate to Cells today!

Please note that this is the last update provided for Pydio 8 community edition, that is considered End-of-life at the end of 2019. But Pydio is far from being dead : since two years now, we have been releasing Pydio Cells, a full rewrite of the PHP product in Golang. It has been running in production since then, and provides improved performances, stability and features compared to Pydio 8.

Cells 2.0 provides an embedded migration tool for importing data from an existing Pydio 8 installation (users, workspaces, shares, metadata). Time to upgrade! 

Upgrade Pydio 8

Patches are provided for all last stable for the major versions:  

Archive Installations & Debian/APT Packages

Upgrade to 8.2.4 can be done using the in-app engine or via the Linux Package Manager. Make sure to be on the "Stable" channel. 

YUM / RPM Packages

Upgrade of the PHP version implies additional modifications if you are using the RPM packages (RHEL/CentOS). As all PHP5.6 dependencies are now removed from SCL repository, PHP version now changes from 5.6 to 7.2.

First, make sure you have a backup of your installation. The most important data is located under /usr/share/pydio and /var/lib/pydio/plugins

A - Release Packages

Update two pydio release packages for new repositories files

yum update pydio-release 
yum update pydio-enterprise-release 

Notes: If you are using enterprise version, please re-edit API_KEY and API_SECRET in /etc/yum.repos.d/pydio-enterprise.repo

You should see that the content of /etc/yum.repos.d/pydio.repo was changed. There are no new package inside the [pydio] repo, thus you must disable [pydio] and enable [pydio-php72] instead to continue the upgrade.

Note: they may be stored in a new file name with .rpmnew extension

[pydio]
name=Pydio official packages for community version
baseurl=https://download.pydio.com/pub/linux/centos/7
enabled=0
gpgcheck=1
protect=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-PYDIO

[pydio-php72]
name=Pydio official packages for community version
baseurl=https://download.pydio.com/pub/linux/centos/php72/7/
enabled=1
gpgcheck=1
protect=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-PYDIO

For Pydio Enterprise, please apply the same changes inside the pydio-enterprise.repo file.

B - Update Packages

Execute the following command to clean yum cache and update new database :

yum clean all
yum update pydio  

If there is no error, you can press 'y' to launch pydio update process.

C - Post upgrade

Pydio bootstrap.json

Because php 72 uses mysqli by default, you should reconfigure the pydio bootstrap.json file: /var/lib/pydio/plugins/boot.conf/bootstrap.json

"mysql_use_mysqli":true

Php configuration php.ini

Older php version use /etc/opt/rh/rh-php56/php.ini, but php72 now uses /etc/opt/rh/rh-php72/php.ini. You should reconfigure this new php.ini as you did in 5.6 version. The most important parameters are listed below:

output_buffering = Off
upload_max_filesize = 1024M
post_max_size = 1024M
max_execution
max_execution_time = 1200
memory_limit = 1224M

Remove pydio plugin cache

rm -rf /var/cache/pydio/plugins_*  

Restart apache

systemctl restart httpd24-httpd  

Credits

Many thanks to Sammy Forgit (Certilience) for reporting the vulnerabilities. 

Downloads