Skip to content

Ha Gao (Update)
Compare
Choose a tag to compare
@SKuipers SKuipers released this 10 Nov 06:48
· 1033 commits to main since this release
v24.0.01
a813309

An external security researcher has recently alerted us to a security vulnerability that impacts Gibbon v23.0.00 and above.

We have validated their claims and can confirm that this issue opens the possibility for logged-in users to run a stored Cross Site Scripting (XSS) attack. Whilst this is indeed serious, it is important to know that this type of vulnerability cannot be exploited from outside of Gibbon's logged-in areas, and we have not seen evidence that it has been actively exploited in any known installations.

We would like to thank the Aware7 security agency and researcher Mario Klawuhn for bringing this to our attention through responsible disclosure practices. Information about our security policy can be found on our GitHub repository, including our commitment to following best practices for software security releases and disclosure.

In responding to this vulnerability we have created and tested a patch, which we are confident resolves the issue. The patch and instructions can accessed through the following download link:

Download Patch

Schools are recommended to update their systems using this single-file patch that can be applied to any v23.0.00 to v25.0.00 systems. Applying this patch prevents the need to update your entire installation. The fix itself has also been applied to the current version of Gibbon and released as Gibbon v24.0.01.

We have worked with the researcher to delay public disclosure until our community has had time to patch their systems, which we recommend you do as soon as possible. Public disclosure will not take place until November 25th, 2022.

Our aim is to give schools a reasonable window of time to patch your systems, after which time we will post a security advisory about the vulnerability in our core repository on GitHub. If you have any questions about updating your system, please post on our Gibbon Support Forum.

Thank you, on behalf of the Gibbon Team, for your time and attention to this security concern.

Sandra Kuipers
Gibbon Maintainer

Welcome to Gibbon v24.0.01 (Ha Gao). We’re pleased to announce the addition of a new Admissions module along with flexible Form Builder functionality. Together, these new features enable schools to customize their application forms and give administrators more tools for tracking and working with applicants. Given the scope of these changes, we’ve marked them as beta for v24, and the original application form is still in place and fully functional. For the initial release of the Form Builder we’ve focused on ensuring the application functionality is robust and stable, and in the future this feature will enable creating other types of forms in Gibbon.

The v24 release also includes a new Multi-Factor Authentication option for users, iCal timetable export, improved user photo uploader, and more than 50 other enhancements and improvements.

Our appreciation goes out to everyone who continues to work hard to translate Gibbon into their language. Thanks to your ongoing efforts Gibbon is available in 22 languages! If you would like to volunteer to translate Gibbon into your language, please email [email protected].

We are continuing to build a map of schools using Gibbon and/or Free Learning, and we’d love to know about your usage. If you have a moment, please complete our 3-minute form: https://bit.ly/3idoTWw

“‘Ha Gao’ (蝦餃, har gow) is a traditional Cantonese dumpling served in dim sum. The dumpling is sometimes called a shrimp bonnet for its pleated shape. This dish is often served together with siumaai; when served in such a manner the two items are collectively referred to as hagaau-shaomai (蝦餃燒賣, xiājiǎo shāomài). Har Gow, Siu Mai, Char Siu Bao, and Egg tarts are considered the classic dishes of Cantonese cuisine and referred to as The Four Heavenly Kings. (四大天王, sì dà tiān wáng)” - https://en.wikipedia.org/wiki/Har_gow

IMPORTANT NOTES FOR v24.0.01

• Gibbon v24 requires a minimum PHP version of 7.3. Please check to ensure your server supports this requirement before upgrading. Gibbon v24 supports PHP 8.1 and MySQL 8.0, which are the highest recommended versions.

• Always backup your files and database before upgrading. This is especially important this release, as there are a number of structural changes to the database.

• If you are upgrading, please read the Changes With Important Notices section of /CHANGELOG.txt before you install, to see if your upgrade requires any manual intervention.

• Our Gibbon Development Road Map, will be updated shortly, and will include our GitHub branch and project board for v25 and future release dates. Take a look at https://docs.gibbonedu.org/developers/getting-started/gibbon-road-map

EXPERT SUPPORT & CERTIFICATION
The Gibbon community continues to offer a high level of friendly, timely and knowledgeable support via our forums. For schools requiring support beyond what the community provides, we offer a range of Expert Support and Certification options via gibbonedu.com.

Assets 4
Loading