This is a security release to fix a number of security related issues.
- A vulnerability was recently discovered in ImageMagick, which, depending on your configuration, IPS Community Suite may use manipulate images. This update verifies that images sent to ImageMagick begin with the expected "magic bytes" corresponding to the image file type.
- We are engaging in a third-party security audit of IPS Community Suite and this update contains a lot of security hardening. Many of these issues are not critical but we do still want to get the updates to you.
This release only contains security fixes only. 4.1.12 will be our next general maintenance release.
In addition to the ImageMagick fix described above, this update contains fixes for the following issues:
- Session hijacking vulnerabilities with unmunged URLs and with referrer leaking
- Several XSS vulnerabilities
- An open redirect vulnerability
- Under some circumstances, the reputation activity on a user's profile could reveal the titles of hidden content.
- Under some circumstances, the "post feed" sidebar widget reveal the titles of hidden content.
- The "Resend Confirmation Email" and "Change Email" buttons which appear when validating, and the "lost password" tool had no rate limiting, which could allow a malicious user to send lots of emails damaging the server's reputation.
- Uninstalling an application caused Pages pages to lose their sidebar configurations.