You can find full information about the update on KVS forum: KVS 5.5.1 update.
Security issue connected to remote URL upload was fixed in this update. Luckily, this breach could only be exploited in a limited set of conditions:
- On projects where Apache was not installed, and thus additional security layer was deactivated. For such projects it is required to configure Nginx to prevent accessing publicly writable directories.
- On projects where KVS files were installed under the same OS user as Apache was running.
We extended audit security check to report these configuration issues as errors (previously were reported as warnings), so after update please make sure to run installation + security check in audit plugin and make sure you don't have any errors there.
If you don't want to update to 5.5.1, you can apply security patch on top of 5.5.0, or you can disallow URL upload for public in Settings -> Content settings (Upload from URL option). If you version is very old and doesn't allow disabling URL upload in settings, it is highly recommended to update, otherwise your project may be vulnerable.
- Exporting feeds optimized in terms of memory usage and output generation to allow generating bigger set of data without pagination.
- Importing feeds now support automatic pagination, so they can be configured to query data with auto-skipping N videos from the previous requests to import all available video from the paginated feed.
- Channels now also support synonyms.
- IP blacklist in Anti-spam settings will now better support IPv6 addresses and masks of 2nd level (11.22.*). Previously only 3rd level masks (11.22.33.*) were supported.
- DigiRegs plugin was finalized based on real-world testing and is finally ready for use.
- In grabbers you can now use colons as part of replacement text, but it needs to be specified as a double colon (::). Also text replacements now support partial matches.
- In stats settings we added summary of how much disk space is utilized to store particular type of stats. In some cases with specific stats enabled this could take GBs. Stats cleanup procedure will now clean up database tablespace as well.
- In related videos it is now possible to use External Search plugin for generating related videos, for example to use external Sphinx server for that.
- In list_members_events we added ability to show events of user's subscriptions (similar to showing events of user's friends).
Bugs that have been fixed:
- [CRITICAL] Security issue, see above.
- [MEDIUM] In some cases grabbers could create import tasks that would not process all videos or albums.
- [MEDIUM] 5.5.0 version could not allow including some traffic trade scripts due to function naming conflict.
- [LOW] Option that disallowed tags with specific characters didn't work correctly with non-latin characters.
- [LOW] Re-creating screenshots was not possible for embedded videos even if video URL was provided.
- [LOW] Player didn't show cuepoints on mobile devices.
- [LOW] Player didn't render subtitles after switching to another video quality.
- [LOW] Animated WebP images were not supported as manually uploaded screenshots and photos.
- [LOW] KVS didn't allow creating timeline screenshots for videos longer than 4 hours.
- [LOW] Several performance issues in admin panel when huge amount of videos.
- [LOW] Rotator interval change was not actually applied.
- [LOW] In some cases tag rename didn't add old tag name as a synonym.
- [LOW] In some cases deleting video screenshots could result in partially broken screenshots.