Pydio Core 6.4.2 - Security Release

Created on 2016/07/25
Release Type: 

Pydio Core 6.4.2 fixes some vulnerabilities that have been recently discovered. As such, upgrade is highly recommended and should be straight-forward either via the in-app engine (for archive based installations) or your favorite linux package manager (apt/yum). 

Along with these fixes, there are many small bug fixes, plus some nice UX improvements in various locations to carry on the material design transition. 


  • Important security issues 
    • Missing some input filtering on "remote server" download feature, thanks to Gavin Holt from NCC Group.
    • Path traversal possibility on Windows, thank you to Han Lee for reporting that one 
    • Fix Httpoxy by updating Guzzle library.
  • UX fixes and improvements (icons, thumbnails view, search results)
  • Fix indexation issues for synchronisation
  • Italian translations updated (DepaMarco), Czech translations updated (Svetlmodry)


Detailed Changelog

  • Update Italian translation for plugins (details)
  • Added test for intl php extension as it is used to localize month names (see IntlDateFormatter in AJXP_Utils::relativeDate) (details)
  • Fixed test for detecting php apc extension (postive result even if apc was not loaded) (details)
  • Adding plugin doc on plugin disclaimer (details)
  • Make sure to invalidate repositories cache after accepting user in DuoSecurity. (details)
  • Add minimum characters number on UsersCompleter (details)
  • Use caching to agressively store directory listings, nodes metadata and nodes stats. Introduced caching namespaces, we could even provide different backends for differents namespaces. Todo: create a user namespace to flush only specific resources. (details)
  • Expand Doctrine caches implementation to add "deleteKeyStartingBy" when possible (currently only APC and Redis). If this feature is supported, activate the nodes cache layer (otherwise we cannot prune a full branch of the filesystem tree). (details)
  • Confusion possible if overriding private method. (details)
  • Fix cache invalidation (details)
  • Empty mask filtering on meta.syncable can create an issue with sync downloads. (details)
  • Make sure to Normalize_C the filename when uploaded from xhr. (details)
  • Feed.sql: index should not be declared unique. (details)
  • Delete imagick cache can be deferred. (details)
  • Add test for AbstractCacheDriver (details)
  • Fix APCIterator namespace Action.share : use ConfService::replaceRepository to trigger cache invalidation CoreCache: hook to workspace.after_update to clear associated cache contents (details)
  • New action MigrateLegacyShares (details)
  • Catch error on minisite migration (details)
  • Add a MetaCacheService on the client side, caching Shared Data and Activity Feed with clever invalidation rules. Keep in memory for the moment, always clearing on workspace switch (and thus on logout). (details)
  • Remove log. (details)
  • Use new cacheService for (details)
  • Update (details)
  • Like was causing multiple rows to be added to ajxp_index when changing directory pathname (details)
  • Correctly change index for children whose ancestors dir name changed (details)
  • Fix SMB issue when trying to delete folder with a file named '0' in it (details)
  • Rebase and update (details)
  • Updated Italian translation for plugin 'action.updater' (details)
  • Adding Italian translation for plugin 'auth.custom_db' (details)
  • Suggest FIX for English translation of plugin 'auth.custom_db': replace 'connexion' with 'connection' that is more common (details)
  • Fix error webdav in root folder (details)
  • Fix user's roles update (details)
  • Option to zip downloading files on the fly (details)
  • Czech translation - plugins editor.webodf (details)
  • czech translation (details)
  • editor.text translation to Czech (details)
  • editor.soundmanager translation (details)
  • editor.infopanel translation (details)
  • editor.exif czech translation (details)
  • editor.codepress czech translation (details)
  • czech translation (details)
  • editor.ajxp_graphs czech translation (details)
  • Fix event on change error when cross-repository copy. (details)
  • Fix load users' feed (details)
  • Fix mapping to role id (details)
  • Adding Italian translation for plugin 'authfront.cyphered' (details)
  • Change S3 clients instanciation. (details)
  • SearchEngine: change "more results" messages, we may not know the exact total result count. (cherry picked from commit 58bbd23) (details)
  • Set REPO_SYNCABLE on default repositories (cherry picked from commit 86497a8) (details)
  • Adding react tap event clear dependency (cherry picked from commit 8c358fe) (details)
  • Fix group sorting in orderRoles ( close #1126 ) (details)
  • Fix URL for plugins documentation (details)
  • Set POST by default on client to avoid too long requests. (details)
  • Fix root node actions detection. Do not display inbox in cross repo list. (details)
  • Missing auto-complete styling for .e.g tags metadata. (details)
  • Fix fireContextChange by passing a dataModel: fix right-click instabilities. (cherry picked from commit 9d9851b) (details)
  • Fix possible issue in metastore for root node. (details)
  • Fix ShutdownScheduler that could skip deferred events when already in deferred loop. (details)
  • Dedup files in UserSelection (details)
  • Enable "Explore" action on root folder. (details)
  • Fix Team and Group listing and filtering by keeping an alt. pregexp value. (details)
  • Fix #1108: Caching issues for unoconv-generated previews of office files. (details)
  • Fix isUnique() function in datamodel. (details)
  • Missing var in disclaimer javascript. (details)
  • Refix group sorting. We must compare to 0. (details)
  • Fix TeamsList searching (details)
  • Css compile (details)
  • Adding support for latest versions of ElasticSearch #1184 (details)
  • Raise filtering level when downloading from remote or extarcting archive. (details)
  • Fix strange display in authentication panel by passing smbclient as param instead of global_param (details)
  • Get editable value in FormManager. Close #1124 (details)
  • Imagick: close session to avoid blocking request when generating preview. Fix resize when loading page. (details)
  • Multiple DL: get parent base for zip file. (details)
  • Making sure node metadata for file info is valid for a deleted file #1127 (details)
  • Fix thumb positioning for Imagick preview (details)
  • Implement font-based mime icons. (details)
  • Rework Grid display w/ more space for thumbnails Display overlay icons in tree, that way we can enable some actions on root node (inc. watch on workspaces). (cherry picked from commit 9e0df5b) (details)
  • update extensions (details)
  • Readapt styles for font-based mimes (details)
  • Css details (details)
  • Add some extensions (details)
  • New plugtype strings (details)
  • Reload messages when switching language (details)
  • i18n update (details)
  • Escape quotes and parenthesis before setting backgroundImage style (details)
  • fix FR typo (details)
  • Re-implement QRCode feature for shared links (details)
  • Add QRCode action for passing user / server name via qrcode to new mobile apps. Disabled by default. (details)
  • Performance improvements mail digest (details)
  • More detailed info about update sites (details)
  • Quick fixes for inlineEdition - Probably to be rewritten properly. (details)
  • Add pagination controllers in folders tree (when in Selector mode only) to allow copying/moving data around even if inside another page. Fix #1179 (details)
  • Make sure to save before trying to send an invitation to internal users. Fix #1166 (details)
  • Update abstractAuth plugin (details)
  • Pass & in string return (details)
  • Proxy latest_note to avoid re-asking authentification to update site. (details)
  • Revert previous change, we already had the display_upgrade_note action. (details)
  • Correcting security potential issue on windows in securePath (details)
  • Fix infoPanel action bars initialization when in editor mode. Fix #1145 (details)
  • Update DL page for Sync Clients (details)
  • Fix for #1117: don't remove tmp archive if using XSENDFILE (details)
  • Fix resize issues when display images fullscreen in minisite. Fix #1168 (details)
  • Fix #1176: catching all exceptions when sending mails and adding errors to the end report (details)
  • Fix z-index for videojs player, both in editor mode and fullscreen. Fix #1191 (details)
  • Use double-quotes instead of simple for links. Maybe see #1138 (details)
  • Fixing again parenthesis in background URL. (details)


Need to Balance Ease-of-Use with Security? Pydio Cells Can Help.

If your organization is serious about secure document sharing and collaboration you need to check out Pydio Cells. Cells was developed specifically to help enterprises balance the need to collaborate effectively with the need to keep data secure.

With robust admin controls, advanced automation capabilities, and a seamless, intuitive end-user experience Pydio is the right choice for organizations looking to balance performance and security without compromising on either. Try Cells live for yourself. Or click on the button below to talk to a Pydio document sharing specialist.