Kiwi TCMS 11.1

security improvements and bug-fixes

Posted by Kiwi TCMS Team on Wed 02 February 2022 under releases

We're happy to announce Kiwi TCMS version 11.1.

IMPORTANT: This is a small release which contains security related updates, several improvements, bug fixes and new translations!

You can explore everything at https://public.tenant.kiwitcms.org!

Supported upgrade paths:

5.3   (or older) -> 5.3.1
5.3.1 (or newer) -> 6.0.1
6.0.1            -> 6.1
6.1              -> 6.1.1
6.1.1            -> 6.2 (or newer)

---

Container images:

kiwitcms/kiwi       latest  72099aa8ee93    629 MB
kiwitcms/kiwi       6.2     7870085ad415    957 MB
kiwitcms/kiwi       6.1.1   49fa42ddfe4d    955 MB
kiwitcms/kiwi       6.1     b559123d25b0    970 MB
kiwitcms/kiwi       6.0.1   87b24d94197d    970 MB
kiwitcms/kiwi       5.3.1   a420465852be    976 MB

IMPORTANT: version tagged container images are available only to subscribers!

Changes since Kiwi TCMS 11.0

Security

  • Update Django from 3.2.10 to 4.0.2 to fix several fulnerabilities: CVE-2022-22818, CVE-2022-23833, CVE-2021-45115, CVE-2021-45116, CVE-2021-45452. Of those we believe that only CVE-2022-23833: Denial-of-service possibility in file uploads may directly impact Kiwi TCMS

Improvements

  • Update django-contrib-comments from 2.1.0 to 2.2.0
  • Update django-uuslug from 1.2.0 to 2.0.0
  • Update python-gitlab from 3.1.0 to 3.1.1
  • Update node_modules/marked from 4.0.10 to 4.0.12

Database

  • New migration for django-simple-captcha

Settings

  • RECAPTCHA_PUBLIC_KEY, RECAPTCHA_PRIVATE_KEY and RECAPTCHA_USE_SSL are no longer in use
  • New setting USE_CAPTCHA, defaults to True
  • The string "captcha" is added to INSTALLED_APPS

Bug fixes

  • Fix inappropriate RPC calls causing Version and Build dropdown widgets to display no values. Fixes Issue #2704

Refactoring and testing

  • Add tzdata to requirements
  • Replace django-recaptcha with django-simple-captcha
  • Adjust /init-db view to reliably detect when applying database migrations is complete and not exit prematurely

Translations

Kiwi TCMS Enterprise v11.1-mt

  • Based on Kiwi TCMS v11.1

  • Update kiwitcms-github-app from 1.3.2 to 1.3.3

  • Update django-ses from 2.3.1 to 2.4.0

  • Update python3-saml from 1.12.0 to 1.13.0

  • Workaround UnicodeDecodeError while building the docker image

    Private images:

    quay.io/kiwitcms/enterprise         11.1-mt         df5ce509fd41   854 MB
    quay.io/kiwitcms/version            11.1            72099aa8ee93   629 MB
    

IMPORTANT: version tagged and Enterprise container images are available only to subscribers!

How to upgrade

Backup first! Then execute the commands:

cd path/containing/docker-compose/
docker-compose down
docker-compose pull
docker-compose up -d
docker exec -it kiwi_web /Kiwi/manage.py migrate

Refer to our documentation for more details!

Happy testing!

---

If you like what we're doing and how Kiwi TCMS supports various communities please help us!